Fake DGA: Simda

We have lately analyzed a sample of Simda (= new version of Expiro). It features a fake domain generation algorithm (DGA) which generates domains, however, not really using them. The sample has 4 hard-coded IP addresses embedded of which it tries to connect as command & control (C&C) server. If one server is not responding in the way it should, it tries the next IP address. In the HTTP request it sets the Hosts field (in the HTTP header) to the randomly generated domain. This special trick makes a lot anti-virus analyzing systems to display the domain name in the reports, however not the IP address. As the generated domain name is never used, it is in fact useless.

A look into the algorithm reveals that it uses the time stamp counter as input seed and (more or less) really generates a non-predictable domain name.

1

Here are some example domains which appear in this report, however are all unregistered:

report.o7o3179a1k931wsk.com
update.9ik8rgxkc3zlg0.com
update2.hpl4i1i6elvmn3.com

The linked article, however, links Simda to Fake AV campaigns.

Below is a valid request from the infected machine to the hard-coded C&C 65.98.83.117:

65.98.83.117

The 4 hard-coded IP C&Cs are 65.98.83.117, 94.23.116.81, 74.82.216.6 and 95.141.38.173 – all located around the world:

Simda C&Cs GeoIP

It uses a blacklist of process image file names to detect security tools and do nothing in case it finds one:

cv.exe
irise.exe
IrisSvc.exe
wireshark.exe
dumpcap.exe
ZxSniffer.exe
Aircrack-ng Gui.exe
observer.exe
tcpdump.exe
WinDump.exe
wspass.exe
Regshot.exe
ollydbg.exe
PEBrowseDbg.exe
windbg.exe
DrvLoader.exe
SymRecv.exe
Syser.exe
apis32.exe
VBoxService.exe
VBoxTray.exe
SbieSvc.exe
SbieCtrl.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
SUPERAntiSpyware.exe
ERUNT.exe
ERDNT.exe
EtherD.exe
Sniffer.exe
CamtasiaStudio.exe
CamRecorder.exe

There is also a list of blacklisted registry keys:

Software\CommView
SYSTEM\CurrentControlSet\Services\IRIS5 
Software\eEye Digital Security
Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
Software\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
Software\ZxSniffer
Software\Cygwin 
Software\Cygwin
Software\B Labs\Bopup Observer
AppEvents\Schemes\Apps\Bopup Observer 
Software\B Labs\Bopup Observer
Software\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1 
Software\Win Sniffer
Software\Classes\PEBrowseDotNETProfiler.DotNETProfiler
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
SYSTEM\CurrentControlSet\Services\SDbgMsg 
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
Software\Syser Soft
Software\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
Software\APIS32
Software\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
SYSTEM\CurrentControlSet\Services\VBoxGuest
Software\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
SYSTEM\CurrentControlSet\Services\SbieDrv 
Software\Classes\Folder\shell\sandbox 
Software\Classes\*\shell\sandbox
Software\SUPERAntiSpyware.com
Software\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
Software\SUPERAntiSpyware.com
Software\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1

There is also a report from ESET about the same virus.

Simda downloads a native 64-bit executable (if running on 64-bit Windows) and contains a driver and a bootkit – Rovnix, or also known as ZeroKit. The same bootkit was used by the Carberp gang.