Domain Generation Algorithm Decoder

Part i decoding domain generation algorithms dgas part ii catching zeusbot injection into explorer exe at this point you can go ahead and close the two parent processes since we are not interested in their functionality for the sake of simply finding the dga.

Domain generation algorithm decoder. What are domain generation algorithms dgas. Decoding domain generation algorithms dgas part ii catching zeusbot injection into explorer exe last week i talked about unpacking this binary for static analysis. A domain generation algorithm is a program that is designed to generate domain names in a particular fashion.

Attackers developed dgas so that malware can quickly generate a list of domains that it can use for the sites that give it instructions and receive information from the malware usually referred to as command and control or c2. Traditionally malware used to have hard coded domain names or ip addresses to connect directly with the command and control c c or c2 server. Domain generation algorithms dgas are used to auto generate domains typically in large numbers within the context of establishing a malicious command and control c2 communications channel.

In a recent discovery the reddrip team was able to begin to decode the domain generation algorithm used in the solarwinds compromise. This week i am going to talk about catching its injected entry point inside explorer exe. It is a little more complicated than the kraken malware s dga.