Domain Generating Algorithms (how botnets use DNS to connect to their C&C server)
Malicious adversaries are as sneaky as they are intelligent. They have the creativity and ingenuity to create malware and botnets that can bring an enterprise’s entire network to its knees, causing interruption of critical services and compromising sensitive, valuable data.
Botnets are composed of lots of malware-compromised machines which can be controlled through a command and control (C&C) communication channel. Using these compromised machines, the malware author can carry out lots of malicious activities in various malware families like exfiltrating private information, spamming, phishing, DDoS attack, etc. Botnets have become one of the most prevalent threats in the current cybersecurity space. As a means to evade detection, many botnets use DNS as a means to organize and control. Previously used techniques include Dynamic DNS and fast flux, but more recent botnets are leveraging the Domain Generation Algorithms (DGAs for short) as a means for command-and-control.
Bad actors and malware authors take advantage of domain names to compromise a host and subsequently connect to their back-end systems or Command and Control servers within a specific domain. However, if trying to defend against a botnet, it would be relatively easy to block a single bad domain. For this reason, bad actors will periodically generate a large number of domains, making it difficult to block the bad domain - particularly if it’s constantly changing.
Think of the Domain Generation Algorithms this way: If someone throws you a single tennis ball, it’s easy to catch it. But if someone throws 100 tennis balls your way, what are the chances you’re going to catch all of them?
Essentially, domain generation algorithms (DGAs for short) generate a list of domains over time, which represent the rendezvous points where the infected hosts and the C&C server connect, and always keep their back-end services on the move. When the malware connects with its C&C server, adversaries remain undetected as they gain control of their payload. As far as how often domains are generated, that is entirely up to the adversary, as they can design DGAs to algorithmically generate domains whenever they deem fit.
Now while these domains may seem random, they are launched systematically and they do follow patterns that the malware or botnet in question understands. Bad actors can also configure the DGA to register a new domain at whatever frequency is useful to them - every day, every hour or even every minute. And because the domains are self-generating, the malware can avoid being blocked. By remaining elusive it can, therefore, stay alive and chances are by the time one of the domains is detected and blocked, the malware has already spread somewhere else. One of the dangers of DGAs is that they are constantly keeping cyber security professionals and threat hunters guessing, as they try to find a commonality as far as where the domains are resolving among this mix of random domains.
How can you protect yourself against the Domain Generation Algorithm technique?
One solution for detecting and protecting against random domain generators lies in the DNS data and monitoring DNS queries. If you come across a high frequency of non-existent domains, chances are you’re dealing with a DGA. The malicious domains themselves are also structured differently from non-malicious domains. Malicious domains often have long, seemingly random strings of characters whereas non-malicious domains are simpler to remember. By observing a collection of seemingly random domains, patterns eventually begin to arise either in the domains or in the destinations the domains are trying to connect with.
This is one of the ways BlueCat's Intelligent Security platform can detect domain generation algorithms. So yes, there is a high volume of data to comb through, and these domains do generate an overwhelming amount of network logs. However, there are always strategies, patterns, and hints you can leverage to find that malicious domain needle in the haystack of DNS data.
Learn more about how you can leverage Intelligent Security to eliminate ways attackers can exploit DNS, detect and block cyberattacks, and investigate incidents to reduce the time to remediation.