Domain Name generating algorithms evolving
Domain Name Generation Algorithms (DGA) have become a favoured technique used by cyber criminals to evade detection of botnets. Recently, a new type of DGA has been detected that is smarter in its generation of domain names, and is potentially able to evade detection by security software.
The first malware to widely use a DGA was the Conficker malware in 2008. The principle behind a DGA is to generate a large number of domain names. These domain names can then be used by cyber criminals as a contact point for an infected PC. Conficker C could generate 50,000 domain names each day.
Generation of domain names can be done by the malware using an inbuilt DGA. Typically, the malware generates a small portion of domain names and then loops through the generated domain names, attempting to contact one. The cyber criminals can then use the DGA on their end to register the domain names. The high volume of domain names generated, coupled with the difficulty of blacklisting domains, created headaches for security professionals at the time.
Algorithms used by a DGA were not initially very complicated; the DGA would usually churn out gibberish domain names. However, counter measures developed included checking to see if a domain name had some meaning, or whether it was a random string.
Newer DGAs have started taking words from various sources, including the US Declaration of Independence and parts of the GNU Public License. The latest variant, called Matsnu (or Trustezeb) uses an algorithm that can generate a domain name that contains a noun, verb, noun, and verb. Matsnu has a list of words containing 878 nouns and 444 verbs that it uses for generation of the domain names. The number of domain names created daily can be set by the attacker. Matsnu is mainly being spread via spam email.
Whilst the evolution of DGAs adds another threat element, it is important to remember that many of the threats are primarily email borne. Keeping all software up to date will prevent many attacks from occurring. Using an email filter to stop the spam arriving in your Inbox in the first place is a vital component of any defence, and should be considered.