Getting a Grasp on Domain Generation Algorithms

Tuesday, February 26, 2019 @ 05:02 PM gHale

EDITOR’S NOTE: The following is a Threat Brief from Palo Alto Networks’ Unit 42, which informs users about real-world threats and how they can prevent them.

One of the most important “innovations” in malware in the past decade is what’s called a Domain Generation Algorithm (DGA).

DGA is an automation technique attackers use to make it harder for defenders to protect against attacks. While DGA has been in use for over 10 years now, it’s still a potent technique that has been a particular challenge for defenders to counter.

RELATED STORIES
ARC: How to Prevent USB Attacks
ARC: Safety and Profitability Work Together
ARC: Safety, Security Hand in Hand
ARC: Security and Digital Transformation

The good news is there are emerging technologies that can better counter DGAs.

DGA is a program designed to generate domain names in a particular fashion. Attackers developed DGAs so malware can quickly generate a list of domains it can use for the sites that give it instructions and receive information from the malware (usually referred to as “command and control” or C2).

Attackers use DGA so they can quickly switch the domains they’re using for the malware attacks. Attackers do this because security software and vendors act quickly to block and take down malicious domains that malware uses. Attackers developed DGA specifically to counter these actions.

In the past, attackers would maintain a static list of malicious domains; defenders could easily take that list and start blocking and taking down those sites. By using an algorithm to build the list of domains, the attackers also make it harder for defenders to know or predict what domains will be used than if they had a simple list of domains. To get that list of domains the malware will use, defenders have to decode the algorithm which can be difficult.

Even then, taking down sites of malware using a DGA can be a challenge as defenders have to go through the process of working with ISPs to take down these malicious domains one by one. Many DGAs are built to use hundreds or even thousands of domains. And these domains are often up for only limited periods of time. In this environment blocking and taking down DGA-related domains quickly becomes a game of “whack a mole” that is sometimes futile.

No Harm, Plenty of Foul
DGA by itself can’t harm you. But it is an important piece that enables modern malware to try and evade security products and countermeasures. The importance and usefulness of DGA is best shown by the fact it’s been in regular and constant use since at least 2008. DGA was a key component in the Conficker attacks in 2008 and 2009 and part of its success.

What can I do about it?
Because DGA is a technique the fuels malware attacks, the things you can do to help prevent malware can also help prevent DGA-fueled malware attacks:
• Don’t open attachments that are unexpected or from unknown sources
• Don’t enable macros on attached documents without confirming that you can do so safely from the sender and your IT department
• Run security software that can help prevent malware attacks

In addition, new technologies are being developed that can more directly counter DGA-fueled attacks, particularly for organizations. In particular, security vendors are bringing automation to bear to counter the attackers’ automation. New anti-DGA technologies that leverage machine learning and Big Data are capable of countering DGA’s automation with automated prediction of their own that can anticipate, block, assist with malicious site takedowns or even, in some cases, prevent those malicious sites from being used in the first place.

You can also learn more about these new technologies and look at deploying them as an additional layer of protection.

Click here for the full Threat Brief.



Leave a Reply

You must be logged in to post a comment.