The Domain Generation Algorithm Dilemma

A Domain Generation Algorithm (DGA) is pretty much exactly like it sounds. It is a technique that attackers use to automate the generation of dynamic domain names and IPs that can point back to their Command & Control servers in an effort to avoid detection.

Summer is coming, so this metaphor is apropo – think of it like playing Marco Polo. If you have one person yelling “POLO,” it’s easy to identify where the sound is coming from and move toward that sound. Now imagine there are hundreds of people yelling at the same time. Marco is going to have a difficult time distinguishing who’s in the game and who isn’t.

This post will take a look at the history of DGAs, how they work in general terms, how they can be detected, and finally, how to mitigate these attack techniques.

What is a DGA?

Domain Generation Algorithms have been in use since around 2008 when the Conficker botnet was first detected. Conficker, specifically in the context of DGAs, started out propagating as a botnet by downloading daily from any of 250 somewhat random domains across a handful of TLDs. That eventually escalated to nearly 50,000 domains across 110 TLDs with domains lasting anywhere from 24-48 hours on average.

Once malware is installed on a host, attackers need to be able to track what it is doing and also send instructions back to complete their objectives and evade detection. They do this by connecting to Command and Control (C2, C&C) servers. Of course, if there is only one IP or domain that can access their C&C servers, as stated above, it’s really easy for security teams to move in the direction of the one yelling “POLO.”

Enter Domain Generation Algorithms.

How does a DGA work?

A DGA is a program that malware architects create to generate domain names following a specific set of criteria. Since malware is built by humans, it’s really up to the individual on which method they choose to employ with the singular goal of quickly generating a list of domains to throw security teams off track.

Some malware, like tinynuke, creates domains that are made up of MD5 hashes while others simply alternate between consonants and vowels, as an example. The algorithm is set to create these new domains, of which, the infected host would attempt to contact only a handful of them. Based on the malware code, there will always be one domain that the C&C server would actually be located at for that period of time, then it would change again. Since the DGA is known on both the C&C and host, both sides will generate the same list without needing to communicate.

If a certain domain or IP address gets blocked, say by explicitly blocking at the firewall, both the C&C server as well as the host are designed to adjust, create a new list of domains, and attempt to connect again. You can quickly see how this would be futile to security teams who are trying to manually manage perimeter security with limited resources.

How can I detect if a DGA is in use?

Using a service like the Milton Argos Platform (MAP) in combination with the Milton Threat Hunting team, you gain the advantage of wire speed evaluations of requests plus the human benefit of deep dives into the issues that are being observed. Reviewing the domain name, NXDOMAIN responses, passive DNS, and WHOIS information at wire speed, Milton Security can make a crucial determination about the validity and legitimacy of the domains.

How can I mitigate DGA?

When dealing with any type of C&C and Domain Generation Algorithms from malware, you need to immediately remove the offending systems from the network and simultaneously hunt to see if other systems are potentially affected. By broadening the hunt, and doing retro-hunting you will be able to track down and terminate all potential communications that may be occurring. Once disconnected from the network, the offending systems need to be scanned immediately by remediation applications in order to ensure that there is no malware present.

The tricky thing about mitigating DGA activity is that the C&C server IP and Domain Name are designed to change regularly to avoid detection and circumvent any IP or Domain blocks that result from initial detection and response. Your best option in mitigating any further communication with the Command and Control server is to quarantine any systems exhibiting this activity, run the prescribed scans to detect and remove any malware on that system and broaden the hunt to encompass past connections or attempts from within your network.

If you’re ready to see how the wire speed of Milton Security’s Argos Platform in conjunction with our human Threat Hunt Teams can help quickly mitigate DGAs and defend your network against malicious actors, sign up for our free 15-day Proof of Value and see for yourself.