Domain generation algorithm

Last updated

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets, since infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of public-key cryptography in malware code makes it unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not signed by the malware controllers.

Contents

For example, an infected computer could create thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands.

Embedding the DGA instead of a list of previously-generated (by the command and control servers) domains in the unobfuscated binary of the malware protects against a strings dump that could be fed into a network blacklisting appliance preemptively to attempt to restrict outbound communication from infected hosts within an enterprise.

The technique was popularized by the family of worms Conficker.a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving an infected machine a 1% possibility of being updated every day if the malware controllers registered only one domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day. From the point of view of botnet owner, they only have to register one or a few domains out of the several domains that each bot would query every day.

Recently, the technique has been adopted by other malware authors. According to network security firm Damballa, the top-5 most prevalent DGA-based crimeware families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011. [1]

DGA can also combine words from a dictionary to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source. [2] Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.

Example

defgenerate_domain(year:int,month:int,day:int)->str:"""Generate a domain name for the given date."""domain=""foriinrange(16):year=((year^8*year)>>11)^((year&0xFFFFFFF0)<<17)month=((month^4*month)>>25)^16*(month&0xFFFFFFF8)day=((day^(day<<13))>>19)^((day&0xFFFFFFFE)<<12)domain+=chr(((year^month^day)%25)+97)returndomain+".com"

For example, on January 7, 2014, this method would generate the domain name intgmxdeadnxuyla.com, while the following day, it would return axwscwsslmiagfah.com. This simple example was in fact used by malware like CryptoLocker, before it switched to a more sophisticated variant.

Detection

DGA domain [3] names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists). [4] Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised clustering techniques and contextual information like network NXDOMAIN responses, [5] WHOIS information, [6] and passive DNS [7] to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with deep learning techniques have been extremely successful, with F1 scores of over 99%. [8] These deep learning methods typically utilize LSTM and CNN architectures, [9] though deep word embeddings have shown great promise for detecting dictionary DGA. [10] However, these deep learning approaches can be vulnerable to adversarial techniques. [11] [12]

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Fast flux</span> DNS evasion technique against origin server fingerprinting.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous system. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

<span class="mw-page-title-main">Object detection</span> Computer technology related to computer vision and image processing

Object detection is a computer technology related to computer vision and image processing that deals with detecting instances of semantic objects of a certain class in digital images and videos. Well-researched domains of object detection include face detection and pedestrian detection. Object detection has applications in many areas of computer vision, including image retrieval and video surveillance.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Microsoft has launched an online tech team to tackle the problem of Zeus.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.

<span class="mw-page-title-main">Adversarial machine learning</span> Research field that lies at the intersection of machine learning and computer security

Adversarial machine learning is the study of the attacks on machine learning algorithms, and of the defenses against such attacks. A survey from May 2020 exposes the fact that practitioners report a dire need for better protecting machine learning systems in industrial applications.

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.

<span class="mw-page-title-main">Yuval Elovici</span>

Yuval Elovici is a computer scientist. He is a professor in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU), where he is the incumbent of the Davide and Irene Sala Chair in Homeland Security Research. He is the director of the Cyber Security Research Center at BGU and the founder and director of the Telekom Innovation Laboratories at Ben-Gurion University. In addition to his roles at BGU, he also serves as the lab director of Singapore University of Technology and Design’s (SUTD) ST Electronics-SUTD Cyber Security Laboratory, as well as the research director of iTrust. In 2014 he co-founded Morphisec, a start-up company, that develops cyber security mechanisms related to moving target defense.

References

  1. "Top-5 Most Prevalent DGA-based Crimeware Families" (PDF). Damballa. p. 4. Archived from the original (PDF) on 2016-04-03.
  2. Plohmann, Daniel; Yakdan, Khaled; Klatt, Michael; Bader, Johannes; Gerhards-Padilla, Elmar (2016). "A Comprehensive Measurement Study of Domain Generating Malware" (PDF). 25th USENIX Security Symposium: 263–278.
  3. Shateel A. Chowdhury, "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE", Aug 30, 2019.
  4. Kührer, Marc; Rossow, Christian; Holz, Thorsten (2014), Stavrou, Angelos; Bos, Herbert; Portokalidis, Georgios (eds.), "Paint It Black: Evaluating the Effectiveness of Malware Blacklists" (PDF), Research in Attacks, Intrusions and Defenses, Springer International Publishing, vol. 8688, pp. 1–21, doi:10.1007/978-3-319-11379-1_1, ISBN   9783319113784 , retrieved 2019-03-15
  5. Antonakakis, Manos; et al. (2012). "From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware". 21st USENIX Security Symposium: 491–506.
  6. Curtin, Ryan; Gardner, Andrew; Grzonkowski, Slawomir; Kleymenov, Alexey; Mosquera, Alejandro (2018). "Detecting DGA domains with recurrent neural networks and side information". arXiv: 1810.02023 [cs.CR].
  7. Pereira, Mayana; Coleman, Shaun; Yu, Bin; De Cock, Martine; Nascimento, Anderson (2018), "Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic" (PDF), Research in Attacks, Intrusions, and Defenses, Lecture Notes in Computer Science, vol. 11050, Springer International Publishing, pp. 295–314, doi:10.1007/978-3-030-00470-5_14, ISBN   978-3-030-00469-9 , retrieved 2019-03-15
  8. Woodbridge, Jonathan; Anderson, Hyrum; Ahuja, Anjum; Grant, Daniel (2016). "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks". arXiv: 1611.00791 [cs.CR].
  9. Yu, Bin; Pan, Jie; Hu, Jiaming; Nascimento, Anderson; De Cock, Martine (2018). "Character Level based Detection of DGA Domain Names" (PDF). 2018 International Joint Conference on Neural Networks (IJCNN). Rio de Janeiro: IEEE. pp. 1–8. doi:10.1109/IJCNN.2018.8489147. ISBN   978-1-5090-6014-6. S2CID   52398612.
  10. Koh, Joewie J.; Rhodes, Barton (2018). "Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings". 2018 IEEE International Conference on Big Data (Big Data). Seattle, WA, USA: IEEE. pp. 2966–2971. arXiv: 1811.08705 . doi:10.1109/BigData.2018.8622066. ISBN   978-1-5386-5035-6. S2CID   53793204.
  11. Anderson, Hyrum; Woodbridge, Jonathan; Bobby, Filar (2016). "DeepDGA: Adversarially-Tuned Domain Generation and Detection". arXiv: 1610.01969 [cs.CR].
  12. Sidi, Lior; Nadler, Asaf; Shabtai, Asaf (2019). "MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses". arXiv: 1902.08909 [cs.CR].

Further reading