Domain Generation Algorithm Attack

Domain generation algorithm dga what is it.

Domain generation algorithm attack. Attackers developed dgas so that malware can quickly generate a list of domains that it can use for the sites that give it instructions and receive information from the malware usually referred to as command and control or c2. There are many algorithms that are used to generate domains but many of these algorithms are simplistic and are very easy to detect using classical machine learning techniques. Adversaries may use domain generation algorithms dgas to procedurally generate domain names for command and control communication and other uses such as malicious application distribution.

Over the last decade domain generation algorithms dgas have become a popular tool for threat actors to deliver malware as it has become a difficult technique for defenders to counter attacks. Domain generation algorithms dga are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers the large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets since infected computers will attempt to. Some examples of the generated subdomains observed at time of execution include.

These domains are often used as rendezvous points for the servers that malware has command and control over. Retrieved december 20. All dgas are based off of a static and dynamic seed which ensures that the domains are constantly changing.

Domain generation algorithm domain generation algorithms dgas can be used by malware to dynamically generate a set of candidate domains periodically to reach the c c center. New targeted attack in the middle east by apt34 a suspected iranian threat group using cve 2017 11882 exploit. The botnet operator likewise uses the dga to calculate a domain name which they can register such that the dga domain is resolvable at the time when the bots attempt to.

As critical workloads with sensitive data migrate to the cloud we can expect to encounter various advanced persistent threats apt targeting that environment. Introduction 2020 is predicted to be an exciting year with more organizations adopting kubernetes than ever before. Dgas increase the difficulty for defenders to block track or take over the command and control channel as there potentially could be thousands of domains that malware can check for instructions.

Domain generation algorithms create a constantly moving target that cyber defenders struggle to successfully hit with a blocklist. A domain generation algorithm is a program that is designed to generate domain names in a particular fashion. Figure 9 shows example network communications between a powruner backdoor.