Under Attack? Call (844) END.DDoS

The Great DGA of Sphinx

Dennis Schwarz


This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx, another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. It is currently unknown to us as to what version added the DGA functionality.

This sample was used for analysis and it is version

Domain Generation Algorithm

The algorithm isn’t particularly complicated. It uses the current date as the starting seed and performs some maths on it to generate the individual domain characters. Once 16 of them are generated it tacks on the TLD, “.com” in this case. Here is an IDA screenshot of the function:


A proof of concept Python implementation will be available on the Arbor ASERT Github here. The DGA code can be used to determine the domains for a given date. For example, here are the first few domains for 2016-10-13:

  • lglfxpoxekhxiipc[.]com
  • baehyfffjlsnxudr[.]com
  • jsyokakduvaaiqbf[.]com
  • pnllaldgvykyachp[.]com
  • oyiwnbmfkchgqbpy[.]com

DGA Characteristics

  • Backup command and control mechanism
  • Domains change daily
  • The number of daily domains is 128
  • The length of the domain is 16 characters
  • We currently haven’t seen any variation (constants, TLDs, etc.) between samples so it might be possible that the DGA domains are global to the family and not campaign/customer specific

Using this classification system, this DGA could be classified as Time-Dependent, Deterministic, and Arithmetic-based or TDD-A.


Resolving the year-to-date domain space shows the following, mostly sinkhole, activity:

  • 2016-5-30 – damygjkrmpvcdnhb[.]com
  • 2016-6-1 – tdxhpthbrwouuyoq[.]com
  • 2016-6-2 – arhgjfxcxlxtonfr[.]com
  • 2016-6-16 – gfcjyvkteollejvy[.]com
  • 2016-6-22 – wuciitasvuhcyfuc[.]com
  • 2016-6-24 – wanocxudtloccpqm[.]com
  • 2016-6-24 – kfpuhvhirgyixier[.]com

To get a closer look, we setup our own sinkhole for a 2016-10-13 domain. Within a 24-hour time window 1230 unique source IP addresses phoned in. The geographical distribution of the IPs is as follows:


The top-10 TLDs were:


Brazil’s 24% share makes some sense in relation to the sample analyzed, as the webinjects used in that campaign were targeting four Brazilian financial institutions.

The sinkhole data also added more evidence that the DGA is global to the malware family and not campaign/customer specific. When the malware executes, the DGA domain will be formatted into a URL using the following template:

  • http://%s/%s.bin

The filename portion will be populated by a configuration parameter that is stored in the base config. For the analyzed sample the parameter is “unique_name”, however sinkhole data reveals quite a few more of these parameters:

  • rude.bin
  • jh3ghjT4Fj42Rv.bin
  • unique_name.bin
  • update_64.bin
  • TEST1.bin
  • my_botnet.bin
  • my_de.bin
  • ccc01.bin
  • tempt.bin
  • deses.bin
  • axe1.bin
  • bbb01.bin
  • viktoria.bin
  • SH1.bin
  • tabooboy.bin
  • mexico.bin
  • cream17.bin
  • mone.bin
  • cream16.bin
  • u2.bin
  • ZEN.bin
  • znYD5cwHW7atoUt.bin
  • gucci1.bin
  • static.bin
  • rap0tor.bin
  • main_template.bin
  • ZeroCool.bin
  • catcher1.bin


This post examines the backup DGA algorithm used in the Zeus variant known as Sphinx and its activity using a sinkhole. It is interesting that the DGA appears to be global to the entire malware family despite the malware being sold as a kit on underground forums to distinct customers. DGAs, even just backup ones, provide a rare opportunity for defenders to get ahead of the curve and preemptively monitor and mitigate a threat.

Panda Banker’s Future DGA

Dennis Schwarz

Since we last visited the Panda Bankers at the malware zoo, two new versions have emerged: 2.2.6 and 2.2.7. While sifting through the encrypted strings of the latest version, two interesting ones stood out: dgaconfigs DGA, download “%S”. Tracing the first one through the code does indeed lead to a DGA or a domain generation […]

Who Let the Pandas Out? Zeus, Zeus, Zeus, Zeus

Dennis Schwarz

A few months ago Proofpoint released a blog post about a new banking trojan called Panda Banker. They credit Fox-IT with the discovery and both companies indicate that it is another variant based on the Zeus banking trojan source code. Under the hood Panda Banker certainly feels Zeus-like, but it has plenty to distinguish itself […]

The Mad Max DGA

Jeff Edwards

This post describes a domain generation algorithm (DGA) used by the “Mad Max” malware family. Mad Max is a targeted trojan, and we plan to post a follow-up article that documents our findings regarding the features of the Mad Max malware itself. But for now we will focus on the reversing of its DGA, since […]

The Lizard Brain of LizardStresser

Matthew Bing

LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends: The number of unique LizardStresser command-and-control (C2) […]

Communications of the Bolek Trojan

Dennis Schwarz

A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks […]

New Poison Ivy Activity Targeting Myanmar, Asian Countries

The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists […]

The Four Element Sword Engagement

Curt Wilson

Ongoing APT activity against Tibetans, Hong Kong and Taiwanese interests In “The Four Element Sword Engagement (Full Report)”, Arbor ASERT reveals recent ongoing APT activity likely associated with long-running threat campaigns against Tibetans, Hong Kong, Taiwanese interests and human rights workers. We presume the existence of associated malcode, dubbed the Four Element Sword Builder, which […]

Alpha Testing the AlphaLeon HTTP Bot

Dennis Schwarz

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]