Malware Domain Generating Algorithms are becoming more sophisticated

Malware cut off from its C&C servers is effectively useless to its masters, so they are continually trying to find new ways of maintaining that connection at all times.

Hardcoding the C&C servers’ URL into the malware is one (poor) solution.Peer-to-peer communication is another one. Hiding the C&C servers in the Tor anonymity network is the latest one.

Changing C&C domains every few hours and using an algorithm to allow the malware to discover these domains at specific times is also still very popular. Through the years, botnet masters have continued to make the Domain Generating Algorithms more complex, i.e. more difficult to prevent and detect.

“A prime example of the evolution of Domain Generating Algorithms can be seen in a recently discovered new variant of the Matsnu trojan,” Seculert researchers noted.

Matsnu’s DGA includes inputs for nouns and verbs, and can even pull from a word list. The word list includes 878 nouns and 444 verbs. A verb list also includes another mixture of nouns at the end of the list.”

The botmaster can also change other things. For example, he can choose how many domains will be generated every day, and whether some old domains should be reused. In essence, the DGA is configurable.

The malware itself does what it did before: collects system information and sends it to the C&C server, downloads additional malicious files, ensures its persistence on the infected machine.

But the real improvement is in the Domain Generating Algorithm – and not only in this particular type of malware.

A Gameover ZeuS variant spotted in July 2014 has a new algorithm that makes it generate 1,000 domains per day instead of per week as before. The newest Tiny Banker (Tinba) variant uses a DGA based on a hard-coded domain and seed which are unique to each sample generating 1,000 unique domains.

The new DGAs are an attempt to avoid the latest detection technologies, such as the machine learning phonetic algorithms that concentrate on finding domain names using random characters and having no actual meaning.

Share this