Malware authors are creating flexible domain generation algorithms (DGAs) to avoid detection and prevent the good guys from shutting down their botnets.
DGAs are generally a fallback mechanism for sending instructions to infected computers when the hard-coded command and control (C&C) servers become unavailable.
The algorithms generate a list of unique pseudo-random domain names every day. Clients in a botnet attempt to connect to them and receive commands when the primary servers are not available.
Knowing the algorithm allows malware authors to predict which domain names infected computers will attempt to access on a certain date, so they can register one of them in advance.
The Conficker worm used a domain generation algorithm for receiving instructions from its creators. This brought the technique to the public’s attention for a short time in 2009.
However, DGAs have advanced considerably since then, said Gunter Ollmann, vice president of research at network security vendor Damballa. There’s a trend in malware development to implement DGAs in order to evade security systems that rely on domain name reputation, blacklists or signatures.
Customizable DGA modules are now available for some of the most popular crimeware packs, such as ZeuS, which means each botnet based on them will contact its own list of domain names.
That makes it very hard to shut them down, especially for law enforcement authorities, which have little time — around 24 hours — to investigate a C&C server, Ollmann said.
By the time the authorities get a subpoena and take control of a temporary domain name to perform forensics, the cyber criminals will likely already have switched to a new one.
Even security vendors have had a hard time identifying the use of DGAs in certain types of malware or accounting for it when building detection, Ollmann said.
Damballa has identified six new malware families that use DGA for evasion purposes during the past 12 months. Cybercrime organizations make good use of those malware families.