Dissecting Domain Generation Algorithms

While hackers can use many methods to infiltrate a network, every malicious operation contains some essential components, such as establishing command and control communication between the attacker and the compromised network.

Adversaries are increasingly turning to domain generation algorithms (DGAs) to remotely communicate with the sophisticated, malicious tools they created. Hard-coded domain lists and IP addresses, once popular with attackers, aren’t as appealing since both are useless once discovered and blocking them is easy.

DGAs, on the other hand, are a near perfect communication method. They’re easy to implement, difficult to block, almost impossible to predict in advance, and can be quickly modified if the previously used algorithm becomes known.

Current security solutions really aren’t capable of handling DGAs given the massive number of domains they generate. Gameover Zeus, for example, generated 1,000 domains every day, or 365,000 in one year. Attempting to block these domains would strain firewalls, network-filtering products and other security tools.

Law enforcement and government agencies have attempted to shut down these domains by going after their registrars, as seen in Operation Tovar. But even these efforts weren’t completely successful. In the case of Operation Tovar, the FBI was unable to take over domains registered under the Russian TLD. Additionally, accessing the TLD name servers meant spending huge amounts of time money to obtain a search warrant.

Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique. This is part of the Cybereason’s aikido approach to security: a method that uses the opponents’ strength against them. The more adversaries try to hide their activities, the more suspicious they appear. Eventually, they run out of places to hide and techniques to avoid detection, allowing the defender to discover the attack.

Out of the dozens of DGA variants Cybereason detected in our customer’s environment, Cybereason Labs dissected eight of the more interesting examples.

Uri Sternfeld is the research team leader at Cybereason.


Uri Sternfeld
About the Author

Uri Sternfeld

Over 15 years of experience in software design, programming and technology research. Experienced in cyber-security, computer networks, client-server architecture, web-crawling, data-mining, automation and reverse-engineering