What is a domain generation algorithm (DGA)?
A domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures.
Cybercriminals and botnet operators use domain generation algorithms to deliver malware that can generate hundreds of new, random domains they can switch between during attacks, making it harder for the victim that is being targeted to block and remove these domains.
Changing domain names helps hackers by preventing their servers from being blocklisted or taken down by their targeted victims. The idea is to have an algorithm produce random domain names that the malware can use and quickly switch between. Security software typically blocks and takes down the malicious domains that malware uses, so switching domains quickly enables cybercriminals to continue pursuing the attack.
DGAs are one of the top-known methods that make it harder for malware victims to protect against attacks. They have been used for over 10 years, and some malicious programs still pose a challenge for some to counter. Recent examples of malware attacks that used DGA to create command-and-control (C&C) servers include Conficker, Zeus and Dyre.
How does a DGA work?
DGAs periodically generate a large number of domain names. These domains act as a rendezvous point for malware C&C servers.
DGAs are pseudo-random generators that construct a random sequence of characters used to form domain names. DGAs can also use words from a dictionary to construct domains. Dictionaries are either hardcoded in malware or taken from an accessible source. DGA generators are normally seed-based and can generate thousands of domain names. The seed is known to both sides, so the same sequences generate on both client and source sides without needing to communicate. This enables the attacker to know beforehand which domain name the malware will use. The attacker then registers that one domain from the sequence to form a communication channel -- or rendezvous point -- for the malware.
If a domain is identified as malicious and is taken down, then the domain and C&C server are quickly switched.
For example, if a website owner wants to use the domain name mysite.com and a search on a domain name registrar's site reveals that the desired domain name is not available, a DGA running in the site's background might return suggestions for 50 similar site names that actually are available.
How does malware use a DGA?
Security software can quickly block malware that depends on a fixed domain or Internet Protocol (IP) address. So, in response, attackers use DGAs to switch the malware to a new domain at a regular time interval. This is opposed to using a new version of the malware or setting up a new server every time the domain is blocked. The large number of potential rendezvous points makes it difficult for law enforcement to shut down the malware effectively. The additional use of public key cryptography in the malware's code makes it more challenging to mimic commands from malware controllers.
Botnets are a collection of internet-connected devices that are infected and controlled by malware. Botnet operators have discovered they can use DGAs to hide the operator's C&C server and evade detection by blocklists, signature filters, reputation systems, intrusion prevention systems, security gateways and other security methods. The scheme, which is called domain fluxing, is similar to hiding a needle (the C&C server) in a haystack (a long list of IP addresses).
Best practices for detecting and protecting against DGA-fueled malware
A DGA does not harm the victim directly; rather, it enables a malware attack. The methods an organization can use to prevent normal malware attacks also work to prevent attacks that use DGAs. These best practices include techniques such as using security software that can prevent malware attacks, keeping software updated and not opening attachments from unknown sources.
There are also other methods that can directly counterattack DGAs:
- Anti-DGA technologies can use machine learning and big data to target irregular activity. They use an automated prediction method that can anticipate, block and assist with taking down malicious sites.
- Deep learning techniques can detect DGA domain names by using long short-term memory and convolutional neural network
- An organization can use DGAs to bypass ad blockers. The constant switching of domains -- domain fluxing -- evades detection by ad blockers' blocklists, signature filters, reputation systems and other security controls.
Learn how companies can arm themselves against six of the most common and damaging cyber attacks.