Domain Generation Algorithm

Attackers developed dgas so that malware can quickly generate a list of domains that it can use for the sites that give it instructions and receive information from the malware usually referred to as command and control or c2.

Domain generation algorithm. Adversaries may make use of domain generation algorithms dgas to dynamically identify a destination domain for command and control traffic rather than relying on a list of static ip addresses or domains. Domain generation algorithm dga is a technique employed by the malware authors to prevent takedowns or blacklisting attempts of the c c domains. To understand the need for domain generation algorithms we must first talk about how command and control servers have evolved in time and which methods are available to shut them down.

Traditionally malware used to have hard coded domain names or ip addresses to connect directly with the command and control c c or c2 server. The use of public key cryptograph. These kinds of c c servers were easy to detect and eliminate since the ip address of such a server is known all that is required is contacting the internet service provider or cloud.

Dga is used to generate a large number of domain names for the c c server. In contrast dgas use algorithms to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers mitre att ck t1568 002. Constant changing of the domain name for the c c server through the implementation of dga is known as domain fluxing.

What are domain generation algorithms dgas. All dgas are based off of a static and dynamic seed which ensures that the domains are constantly changing. The domain body generator is the main part of a dga and can basically be anything a random string of characters concatenation of random words a constant part followed by a changing suffix and so on.

A domain generation algorithm is a program that is designed to generate domain names in a particular fashion. A domain generation algorithm dga is a computer program that creates slightly different variations of a given domain name. A set of top level domains tlds often the seed is simply the current date in some standard format.

The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets since infected computers will attempt to contact some of these domain names every day to receive updates or commands. Domain generation algorithm from the kraken malware threatexpert walking through the assembly code shows that the domain is generated from a seeded algorithm which generates a complete url with a. This has the advantage of making it much harder for defenders block track or take over the command and control channel as.