트렌드마이크로(TrendMicro), File Infector Uses Domain Generation Technique Like DOWNAD/Conficker

세계적인 보안 업체인 트렌드마이크로(TrendMicro)에서 예전 Conficker에서 사용 되던 도메인 생성 기법을 사용한 악성코드가 발견되었다고 공개하였다.

원문보기 : http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/

Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet.

Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute.

According to Escalation Engineer Alvin Bacani, whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place.

Systems that are infected and synchronized to the current UTC date and time will compute and contact the same set of domain names.

Based on PE_LICAT.A’s code, the downloaded files are first validated before executed, which is the same technique WORM_DOWNAD employed. Users whose systems have been infected are at risk of downloading more malicious files onto their systems every time PE_LICAT.A is executed.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™,  which detects and blocks the said file infector from running.

Analysis of this threat is ongoing and further details will be provided when they become available.