Domain generation algorithm
Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets, since infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of public-key cryptography in malware code makes it unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not signed by the malware controllers.
For example, an infected computer could create thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands.
Embedding the DGA instead of a list of previously-generated (by the command and control server(s)) domains in the unobfuscated binary of the malware protects against a strings dump that could be fed into a network blacklisting appliance preemptively to attempt to restrict outbound communication from infected hosts within an enterprise.
The technique was popularized by the family of worms Conficker.a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving an infected machine a 1% possibility of being updated every day if the malware controllers registered only one domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day. From the point of view of botnet owner, they only have to register one or a few domains out of the several domains that each bot would query every day.
Recently, the technique has been adopted by other malware authors. According to network security firm Damballa, the top-5 most prevalent DGA-based crimeware families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011.
DGA can also combine words from a dictionary to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source. Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.
def generate_domain(year, month, day): """Generates a domain name for the given date.""" domain = "" for i in range(16): year = ((year ^ 8 * year) >> 11) ^ ((year & 0xFFFFFFF0) << 17) month = ((month ^ 4 * month) >> 25) ^ 16 * (month & 0xFFFFFFF8) day = ((day ^ (day << 13)) >> 19) ^ ((day & 0xFFFFFFFE) << 12) domain += chr(((year ^ month ^ day) % 25) + 97) return domain + ".com"
For example, on January 7, 2014, this method would generate the domain name
intgmxdeadnxuyla.com, while the following day, it would return
axwscwsslmiagfah.com. This simple example was in fact used by malware like CryptoLocker, before it switched to a more sophisticated variant.
DGA domain names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists). Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised clustering techniques and contextual information like network NXDOMAIN responses, WHOIS information, and passive DNS to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with deep learning techniques have been extremely successful, with F1 scores of over 99%. These deep learning methods typically utilize LSTM and CNN architectures, though deep word embeddings have shown great promise for detecting dictionary DGA. However, these deep learning approaches can be vulnerable to adversarial techniques.
- "Top-5 Most Prevalent DGA-based Crimeware Families" (PDF). Damballa. p. 4. Archived from the original (PDF) on 2016-04-03.
- Plohmann, Daniel; Yakdan, Khaled; Klatt, Michael; Bader, Johannes; Gerhards-Padilla, Elmar (2016). "A Comprehensive Measurement Study of Domain Generating Malware" (PDF). 25th USENIX Security Symposium: 263–278.
- Kührer, Marc; Rossow, Christian; Holz, Thorsten (2014), Stavrou, Angelos; Bos, Herbert; Portokalidis, Georgios (eds.), "Paint It Black: Evaluating the Effectiveness of Malware Blacklists" (PDF), Research in Attacks, Intrusions and Defenses, Springer International Publishing, 8688, pp. 1–21, doi:10.1007/978-3-319-11379-1_1, ISBN 9783319113784, retrieved 2019-03-15
- Antonakakis, Manos; et al. (2012). "From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware". 21st USENIX Security Symposium: 491–506.
- Curtin, Ryan; Gardner, Andrew; Grzonkowski, Slawomir; Kleymenov, Alexey; Mosquera, Alejandro (2018). "Detecting DGA domains with recurrent neural networks and side information". arXiv:1810.02023 [cs.CR].
- Pereira, Mayana; Coleman, Shaun; Yu, Bin; De Cock, Martine; Nascimento, Anderson (2018), "Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic" (PDF), Research in Attacks, Intrusions, and Defenses, Lecture Notes in Computer Science, 11050, Springer International Publishing, pp. 295–314, doi:10.1007/978-3-030-00470-5_14, ISBN 978-3-030-00469-9, retrieved 2019-03-15
- Woodbridge, Jonathan; Anderson, Hyrum; Ahuja, Anjum; Grant, Daniel (2016). "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks". arXiv:1611.00791 [cs.CR].
- Yu, Bin; Pan, Jie; Hu, Jiaming; Nascimento, Anderson; De Cock, Martine (2018). "Character Level based Detection of DGA Domain Names" (PDF). 2018 International Joint Conference on Neural Networks (IJCNN). Rio de Janeiro: IEEE: 1–8. doi:10.1109/IJCNN.2018.8489147. ISBN 978-1-5090-6014-6.
- Koh, Joewie J.; Rhodes, Barton (2018). "Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings". 2018 IEEE International Conference on Big Data (Big Data). Seattle, WA, USA: IEEE: 2966–2971. arXiv:1811.08705. doi:10.1109/BigData.2018.8622066. ISBN 978-1-5386-5035-6.
- Anderson, Hyrum; Woodbridge, Jonathan; Bobby, Filar (2016). "DeepDGA: Adversarially-Tuned Domain Generation and Detection". arXiv:1610.01969 [cs.CR].
- Sidi, Lior; Nadler, Asaf; Shabtai, Asaf (2019). "MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses". arXiv:1902.08909 [cs.CR].
- Phillip Porras; Hassen Saidi; Vinod Yegneswaran (2009-03-19). "An Analysis of Conficker's Logic and Rendezvous Points". Malware Threat Center. SRI International Computer Science Laboratory. Archived from the original on 2013-02-03. Retrieved 2013-06-14.
- Lucian Constantin (2012-02-27). "Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection". PC World. Retrieved 2013-06-14.
- Hongliang Liu, Yuriy Yuzifovich (2017-12-29). "A Death Match of Domain Generation Algorithms". Akamai Technologies. Retrieved 2019-03-15.
- DGAs in the Hands of Cyber-Criminals - Examining the state of the art in malware evasion techniques
- DGAs and Cyber-Criminals: A Case Study
- How Criminals Defend Their Rogue Networks, Abuse.ch