Domain Generation Algorithms (DGA)

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets since infected computers will attempt to contact some of these domain names every day to receive updates or commands. By using public-key cryptography, it is unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not signed by the malware controllers.

For example, an infected computer could create thousands of domain names such as: http://www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands.

Embedding the DGA instead of a list of previously-generated (by the command and control server(s) domains in the unobfuscated binary of the malware protects against a strings dump that could be fed into a network blacklisting appliance preemptively to attempt to restrict outbound communication from infected hosts within an enterprise.

The technique was popularized by the family of worms Conficker.a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving an infected machine a 1% possibility of being updated every day if the malware controllers registered only one domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day.

Recently, the technique has been adopted by other malware authors. According to network security firm Damballa, the top 5 most prevalent DGA-based crimeware families are Conficker, Murofet, BankPatch, Bonnana and Bobax.

Example

def generate_domain(year, month, day):
    """Generates a domain name for the given date."""
    domain = ""

    for i in range(16):
        year = ((year ^ 8 * year) >> 11) ^ ((year & 0xFFFFFFF0) << 17)
        month = ((month ^ 4 * month) >> 25) ^ 16 * (month & 0xFFFFFFF8)
        day = ((day ^ (day << 13)) >> 19) ^ ((day & 0xFFFFFFFE) << 12)
        domain += chr(((year ^ month ^ day) % 25) + 97)

    return domain

On January 7th, 2014, this method would generate the domain name intgmxdeadnxuyla, while the following day, it would return axwscwsslmiagfah. This simple example was in fact used by malware like CryptoLocker, before it switched to a more sophisticated variant.

 Law enforcement agencies around the world are mounting an increased effort against cyber criminals, but they don’t seem to get very far. Two recent reports explain why: Gangs are using technology to rapidly and regularly change Internet addresses.

Security reporter Brian Krebbs writes today of a botnet of hacked computers around the world that is effectively a criminal cloud hosting environment for a wide range of activity including hosting stolen credit card shops.

Tipped off by security vendor RiskAnalytics, the system changes the Internet address, or domain name server (DNS) of each Web site roughly every three minutes. In a test Krebbs did of one site, in a 12-hour period the DNS of one site spat out more than 1,000 unique addresses.

Krebbs quotes a RiskAnalytics official estimates there are over 2,000 infected endpoints, mostly in Europe, behind the botnet. It feels, he said, “like a black market version of Amazon Web Services.” That official says the malware that runs the botnet assigns infected hosts different roles — for example, more powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely.

Separately, Cybereason issued a report last week saying attackers are increasingly turning to domain generation algorithms (DGAs) generate large numbers of random Internet addresses to like to command and control servers. Gameover Zeus, for example, generated 1,000 domains every day, or 365,000 in one year, says the report. Attempting to block all these domains is hard for firewalls, network-filtering products and other security tools.

DGAs “are a near perfect communication method,” says the company. “They’re easy to implement, difficult to block, almost impossible to predict in advance, and can be quickly modified if the previously used algorithm becomes known.”

Creators use a number of techniques, the company says: One generates domains by randomly selecting seven letters, suffixing them with either the .ru or the .com top-level domains and prefixing them with the word “five” followed by a number (for example, five14.aheegdg,com). Another generated domains by randomly choosing two English words from a hard-coded list in the malware and linking them together under the .net top-level domain (for example, theirjuly.net).

The Dridex banking malware that leverages macros in Microsoft Office to infect systems links English words and parts of words chosen in random from a small list, suffixed by the .mn (Mongolia) and .me (Montenegro) top-level domains. The words are often broken, shifted and padded with random characters, significantly increasing the number of possible combinations and making detection much harder (for example, ALLOWCLIENTAXPALAGENT.ME). The well-known Angler exploit kit also uses a DGA.

Cybereason says it has also found a new DGA in malwae that seems to generate a random DWORD (a 32-bit integer, with a maximum value of approximately 4 million) which is converted to a hexadecimal format and suffix the result with either the .com, .net or .info TLDs (for example, 78E05B8B.NET).

Law enforcement and government agencies have tried to take control over top level domains at the source by going after the registrars, the report notes, but sometimes that doesn’t work.

Instead of looking for each DGA variant separately.  Cybereason says vendors and security pros should look for behaviors associated with DGAs. “Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique,” says the company.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s