The Malware which leverage DNS for C&C communication basically employ hard-coded C&C domain names in its binary to connect with C&C server. Malware analyst can easily discover those hard-coded domain names by reverse engineering and can blacklist them. To evade such detection the malware author came up with a technique called DGA.
Domain Generation Algorithm (DGA) is a technique that adversary embeds in the malware binary to periodically generate a large number of pseudo-random non-existent domain names for the Command-and-Control (C&C) server. The malware then attempts to resolve these generated domain names by sending DNS queries until one of the domains resolves to the IP address of a C&C server. DGA generated domain names function as rendezvous points for malware and its C&C server. DGA is employed with the purpose of preventing the C&C server from being taken down and blacklisting attempts.
With the knowledge of algorithm (DGA) adversary can also generate exactly the same list of domain names that malware can generate. Knowing the seed and algorithm allows the adversary to predict which domain names the infected machines (bot) will attempt to query at a certain date and time, and then the adversary registers one of the domain names expected to be generated by DGA embedded malware in advance.
Malware generates thousands of candidate C&C domain names per day and query all of them in order to resolve IP address of C&C server. Eventually, malware will query the adversary’s newly registered domain name and resolves the IP address of C&C server. At that point, malware will start communication with the C&C server and receives commands and updates. Adversary registers the domain name 1 hour prior to an attack and disposes the domain name within 24 hours.
How Domain Generation Algorithm (DGA) Works:
Domain Generation Algorithm (DGA) basically has two component:
- The Seed (shared secret)
- Static Seed
- Dynamic Seed
- Top level domains (TLDs)
DGA takes seed value as input parameter to generate pseudo-random strings and appends TLD (.com, .org, .ca, .ru) with the string to output possible domain names.
The seed is the base element and serves as a shared secret of DGA which is accessible to both the adversary and the malware. The seed is the aggregated set of parameters given by adversary for generating pseudo-random domain name which is the main requirement for Domain Generation Algorithm (DGA). The static seed could be a dictionary of word, concatenation of random strings and numbers or anything that adversary can modify at will. Dynamic seeds are time dependent, the seed changes with time. Daily trending twitter hashtag, insignificant digits of foreign exchange rate, weather temperature can be also leveraged as dynamic seed value. Often current date and time is used as seed value in DGA to generate domain names. The static and dynamic seed elements are combined together in an algorithm to generate the pseudo-random strings then TLD such as .com, .ru, .ca is appended with the strings to make domain names.
Adversary employs Domain Generation Algorithms (DGA) to generate a large number of pseudo-random domain names and select a small portion for actual C&C use. DGA provides a remarkable level of agility and resilience to the adversary’s C&C infrastructure and makes it harder to take down the C&C server. If the C&C domain names or IP addresses are identified and taken down, the malware will eventually get the IP address of the relocated C&C server via DNS queries to the next set of DGA generated domain names.