Domain Generation Algorithm

Domain generation algorithms (DGAs) can be used by malware to dynamically generate a set of candidate domains periodically to reach the C&C center. The botnet operator likewise uses the DGA to calculate a domain name which they can register such that the DGA domain is resolvable at the time when the bots attempt to query it to enable communications.

Overview

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets, since infected computers will attempt to contact some of these domain names every day to receive updates or commands.

DGA family

  • TID-DGA (time independent)
  • TDD-DGA (time dependent)
  • TDN-DGA (non deterministic and time dependent)
  • TIN-DGA (time independent and non deterministic)

Real case abuse

  • Sality, Geodo
  • Torpig, Dyre
  • Bamital, Corebot
  • Bedep, Bedep
  • Kraken, Murofet
  • TinyBanker, Szribi
  • CryptoLocker ransomware
  • Conficker worms
  • Gameover Zeus

Tools

Name Description Language
dnstwist Domain name permutation engine Python
DGADetective Check if a domain has been created using a DGA Node.js
VorpalSpyglass A tool for automatic detection of DGA domains in PCAP-format traffic captures Python

Research

Detecting Algorithmically Generated Malicious Domain Names

Finding Domain-Generation Algorithms by Looking at Length Distributions

Automatic Extraction of Domain Name Generation Algorithms from Current Malware

A Comprehensive Measurement Study of Domain Generating Malware

Domain Name Generation Algorithms

Predicting Domain Generation Algorithms with Long Short-Term Memory Networks

Mitigation

Detection

  • Domain name length
  • Entropy
  • NX domain

References

Repository that contains DGA

Github project containing many reversed DGA taken from malware

Domain generation algorithm - Wikipedia