Gunter Ollmann Damballa
New families of crimeware are adopting domain generation algorithm (DGA) strategies in order to locate their fragile command and control infrastructure, purposefully evade blacklist-enabled protection systems, and making domain seizures and takedowns by law enforcement impractical. As DGA functionality quickly becomes a standard feature of crimeware DIY construction sets and each cybercriminal tunes the algorithm to their purpose, legacy network-centric detection and mitigation strategies are failing. Malware families such as Conficker, Murofet, Sinowal and Bobax are classic (albeit old) examples of the relative successes of DGA in thwarting perimeter filtering defences. Newer crimeware builds upon the lessons learned - optimizing the algorithms and distribution of control servers.
This paper dives in to the practicalities of DGA-based command and control discovery, outlines the problems facing static reputation systems and filtering technologies for which this evasion technique has been developed, and identifies a number of new techniques that not only identify the victims of DGA-based crimeware, but also distinguish between algorithms and criminal operators - with or without prior knowledge of the malicious binary or crimeware family.
