A basic security premise: as security teams within organizations continue to evolve, so do threat actors. One prominent example of this reality that security professionals encounter in their environment is DGAs (or Domain Generation Algorithms). DGAs are algorithms leveraged in some malware. They are used to generate a large volume of domain names (which usually appear to be gobbledygook or domains with random characters) which effectively “phone home” to a command and control center for instructions. Because these domains are generated in such a high volume, it makes it very difficult for law enforcement or proactive security organizations to shut down these domains via blocklists or other takedown methods. This allows botmasters to utilize DGAs as a primary mechanism for communication.
The key to a proactive security stance is finding patterns in nefarious activity. This simple truth led to some very important research completed back in 2015 by Daniel Plohmann, Fraunhofer FKIE. Daniel worked with Khaled Yakdan, University of Bonn; Johannes Bader;Elmar Gerhards-Padilla, Fraunhofer FKIE; and our own Michael Klatt of DomainTools. Daniel Plohmann and company reverse engineered over 43 families of malware and generated all possible domains from DGAs. DomainTools historical data was used to identify which of these domains existed at the time they could have been active for the botnet. This research was written up in a paper and presented at the USENIX symposium this past month. The type of research in this paper includes:
- A comprehensive measurement study of the DGA landscape by analyzing 43 DGA based malware families and variants
- Taxonomy for DGAs which is used to characterize and compare the properties of the studied families
- Insight into the botmasters’ strategies regarding domain registration and identify several pitfalls in previous takedown efforts of DGA-based botnets
Below is a quick summary of what Michael Klatt considers actionable takeaways that security teams can apply to improve their strategy to mitigating DGAs in their own network:
- The majority of DGA families continue to produce random-looking domain names. This remains a good signal to consider when analyzing your network DNS activity.
- DGArchive provides lists of DGA domains to use for protecting your networks. These lists will have low false positives or collisions with benign domains.
- Identifying the family for a malicious DGA domain may provide insight into the type of threat you are facing.
- Historical Whois information is often very helpful in profiling a threat. Creation dates of associated domains can help identify when a threat first became active. Threat mitigations (sinkholed domains) may be visible by looking for apparent change of ownership (in whois or nameserver changes).
Michael Klatt also partnered with Tim Helming last year to identify patterns in the distribution of malicious domains and BDRAs (bulk domain registration agents). These two reports will help your security team quickly identify malicious patterns and proactively block these nefarious threat actors from your network.