Based on what I understand, those that test malware do it in a VM logging and redirecting all queries to external domains, in order to identify possible command and control hosts.
As a response, malware writers add checks for nonexistent domains. If, say, 5 domains known to be fake suddenly start replying, then the malware assumes that it's being executed inside a VM and stops doing anything, in order not to give researchers any clues. This malware just happened to check a single domain.
Oh right, I was under the impression it checked the domains as a kill switch, not as a VM check? I.e if this domain is up and responding don't do anything.
As I could easily run it in a VM and not redirect any traffic
Edit: just read this ...
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
Remember the guy which created Silk Road. People talked about him in mythical terms, that he probably has the op-sec of God, but afterwards facts pointed to major mistakes, like connecting identities to his real name, and suddenly everybody was like "how can he be so stupid, doing this while being the owner of a $100 mil criminal empire"
It's a classic asymmetry: the defender needs to defend all the time, the hacker just needs to get in once. Ditto op-sec, the hacker needs to keep their identity protected at all times, the security services only need to connect the dots once.
Yet as far as I remember he leaked his identify long before anyone even knew Silk Road is even a thing. And someone behind this botnet certainly knew what scale it's going to have before they started it.
In this context criminals are a person or persons who have created ransomware which, in less than three days has infecting more than 230,000 computers in 150 countries, demanding ransom payments in bitcoin in 28 languages.
The meth dealer two houses down who serves people out his front window probably isn't thinking straight. What we're dealing with here is a different category of thinking.
not criminals who get caught, no. a good "criminal" is invisible and manages to get away with their crime. these aren't people you hear about, because then they'd be failures.
The whole point of this "kill switch" is that it’s NOT registered. The malware uses it to detect if it runs in the sandbox, as researchers often make all DNS requests succeed in their sandbox. Checking for an domain known to be unregistered is one way of checking that.
It's not about the registration status of the domain. It is about an HTTP request succeeding. The same functionality could be achieved by using a valid registered domain with server not listening on the desired port.
How trivial it would be to append a random number at the end, or otherwise randomise it just a little bit.. Quite lucky the programmer didn't think this one through.
Yes, in another thread someone mentionned a trojan that hit five randomly-generated hostnames and, if they all resolve to the same IP, assumes its running in a sandbox.
