In the past, attackers would maintain a static list of malicious domains; defenders could easily take that list and start blocking and taking down those sites. By using an algorithm to build the list of domains, the attackers also make it harder for defenders to know or predict what domains will be used than if they had a simple list of domains. To get that list of domains that the malware will use, defenders have to decode the algorithm which can be difficult.
Even then, taking down sites that malware using a DGA can be a challenge as defenders have to go through the process of working with ISPs to take down these malicious domains one by one.
Many DGAs are built to use hundreds or even thousands of domains. And these domains are often up for only limited periods of time. But it is an important piece that enables modern malware to try and evade security products and countermeasures. DGA was a key component in the Conficker attacks in and and part of its success. Because DGA is a technique the fuels malware attacks, the things you can do to help prevent malware can also help prevent DGA-fueled malware attacks:.
In addition, new technologies are being developed that can more directly counter DGA-fueled attacks, particularly for organizations. Predicting these values in advance is of course impossible, and most filtering solutions do not support dynamic generation of domains to block. Law enforcement and government agencies from across the world, including the FBI, have attempted to take control over these domains at the source by going after the registrars, as seen in Operation Tovar.
But even government organizations have limits to their power. And accessing the TLD name servers requires spending huge amounts of time and effort to obtain a warrant, which had to be renewed every six months.
Some researchers have tried to detect randomly-generated domains by their patterns, without knowing the algorithm in advance, and had some moderate success. The problem with this approach is two-fold. First, there is a strong chance for false positives, as many legitimate websites use load-balancing servers and other strange looking domain names, and the tiny ratio of DGA traffic compared to regular traffic makes false positives almost a certainty.
These domains can't be detected using traditional security methods. We hereby describe these variants and the outcome of our investigation. A Russian malware using an unknown DGA.
Mechanism of Action Each day, 35 domains are generated by randomly selecting seven letters, suffixing them with either the. The malicious code usually injects itself into explorer. This seems to be the same DGA as an unnamed malware analyzed by Crowdstrike in Mechanism of Action Domains are generated by randomly choosing two English words from a hard-coded list and concatenating them together under the.
With a list of 0x words, this comes to approximately , possible combinations. The difficulty of detecting this simple algorithm is that the domains do not seem to be randomly generated, and the commonly used words may appear in many legitimate domain names. However, it seems that this malware may use several different word lists. By simply replacing this list, the attackers can completely evade detection of the old algorithm.
A nasty backdoor malware. Mechanism of Action Randomly-generated strings of eight to 20 characters in length suffixed with one of the many multiple exotic top-level-domains, such as. This makes it harder for law enforcement agencies to take down these domains. Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. What does it do?
There is no limit to DGA algorithms and the way they are implemented in the malware. Some are simple and easy to reverse engineer, others are very complex, run in virtual machines and use complex seed and data generation.
Rather than using the date as the time-based seed, some use data from trendy topics on Twitter or Reddit, newspaper headlines or any other external source. This allows the malware to avoid easy detection by sandbox systems, sometimes combined with a generation of known malware domains to check whether they are in such sandbox.
0コメント