We all know there have been (and still is) a lot of malware lurking around the Internet. It’s quite usual today that once the victims get infected, they call back to the command and control (C&C) server, which is controlled by the attacker. The attacker can then contact the malware program installed on the victim’s machine through the C&C server.
Once a C&C server is identified and reported by a forensic professional, it is added to the list of blacklisted IP addresses. Hence, there comes a need for the attacker to connect to the next C&C server. So, Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the C&C servers, the malwares used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.
Now let's see what exactly is this Domain Generation Algorithm (DGA)
Domain Generation Algorithms (DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers.
What exactly are it's uses?
The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals.
An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data.
How does it work?
To better understand how these algorithms work, let’s look at the requirements they have to fulfill:
- The routines have to generate domains that are predictable to both sides of the communication chain.
- The routines have to be as unpredictable for security researchers as possible.
- The domain registration fee has to be low, given the huge amounts of domains that will be used.
- The need for speed can be enormous.
- The registration process has to be anonymous or at least untraceable.
To achieve predictability, yet remain hard to research, the DGA routines use a few building blocks:
- Seed, the base element : The seed can be a phrase or a number. Practically anything that the threat actor can change at will (e.g. when they switch to a new version), and that can be used in an algorithm. The seed and the time-based element are combined in an algorithm to create the domain name and this “body” will be combined with one of the available TLDs.
- Time element: a time-based element need not be something like the date and time. It can be something else that varies with time, like for example the trending topic on Twitter in a certain country at the moment of the connection. Actually, something that is difficult to predict is preferred, as this makes it harder for researchers to register certain domains ahead of time and intercept traffic or do a takeover.
- Top Level Domains (TLDs): To throw off countermeasures is to not use all the domains that the algorithm produces, but only certain ones. This will drastically increase the number of domains necessary to register by researchers if they plan to intercept the traffic.
Summary:
Domain Generating Algorithms are in use by cybercriminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. Basically the idea is that two machines using the same algorithm will contact the same domain at a given time, so they will be able to exchange information or fetch instructions.
No comments:
Post a Comment