Originally published by Zscaler.

Domain generation algorithms (DGAs) are an at least semi-sophisticated technique used by malware authors and distributors to ensure the resilience and adaptability of their malicious infrastructure. DGAs dynamically generate multiple domain names that act as rendezvous points between malware and their command and control (C2) servers. Here we’ll dive into what DGAs are, some of their legitimate and nefarious or malicious uses, detection and prevention techniques, and strategies for protecting organizations from DGA-based attacks.

What are DGAs?

A DGA is an algorithm that generates a seemingly random set of domain names on the fly that malware uses to communicate with a C2 server. The attacker and the infected machine use the same algorithm, generating the same set of domain names based on a shared input like the current date or a seed value such as building off the original domain. This allows both parties to know which domain will be active at a given time, facilitating communication despite the frequent takedown of malicious domains by security teams or law enforcement.

How are DGAs used?

1. C2 communication

As stated above, the primary use of DGAs in the context of malware is for C2 communication. Attackers use DGAs to prevent security teams from blocking access to their infrastructure by blocking a single IP address or a single domain name /fully qualified domain name (FQDN). Instead of relying on a fixed set of domains or IP addresses that can be blocked , the malware regularly attempts to contact one of hundreds or thousands of domains generated by the algorithm. Once the malware successfully connects to an active domain, it can download updates, exfiltrate data, or receive instructions.

2. Evasion and persistence

DGAs provide a mechanism for evasion. Since each new instance can generate hundreds or even thousands of potential C2 domains, it’s practically impossible for security teams to block all of them. Even if a domain is blocklisted, the malware can attempt to contact another domain from the same generation list the next day or even the next hour, making it resilient to most traditional blocking measures.

3. Redundancy in attack infrastructure

With DGAs, malware can continue operating even if portions of its C2 infrastructure are taken down. This redundancy ensures that attackers can maintain control over infected systems for extended periods, frustrating efforts to disrupt their activities. This allows DDoS and other attacks to persist even whensome of the components and dependencies are taken down.

Legitimate purposes for DGAs

While DGAs are primarily associated with malware, there are potential legitimate applications of this technology that make some organizations hesitant to block them completely.

1. High-availability systems

For critical systems that require redundancy and uptime, DGAs could theoretically be used to generate a list of alternative domain names to ensure uninterrupted communication in the event of a network failure or domain takedown. This would illustrate how technology designed for nefarious purposes can be put to legitimate ends.

2. Distributed content delivery

Like the concept of peer-to-peer networking, DGAs could be applied to content delivery networks (CDNs) that dynamically generate domains to distribute load and improve availability, especially when under attack.

3. Disaster recovery

In situations where an organization needs to restore services quickly, DGAs could be employed to dynamically allocate domains and ensure communications remain intact despite DNS failures or DDoS attacks.

However, it’s important to note that these potential legitimate uses are not widely adopted due to the complex nature of managing DGA-generated domains and the high risk of them being mistaken for malicious activity by automated systems. Also, the issues with certificate management and problems with SSL/TLS inspection would be problematic.

Detecting and protecting against DGAs

Detecting DGAs can be challenging due to the sheer volume and randomness of the generated domains. Yet, several approaches can help identify DGA activity:

1. DNS traffic analysis

DNS logs are an invaluable source for detecting DGA activity. Frequent, failed DNS queries are a common indicator of DGAs at work, as the malware attempts to resolve numerous domains, many of which may not yet exist. By analyzing patterns in DNS queries, security teams can often spot the telltale signs of DGAs and their usage.

2. Entropy-based detection

Since DGA-generated domains are typically composed of random or semi-random characters, they often exhibit high entropy ( a measure of randomness or seemingly disorderly patterns). Machine learning models trained to detect domains with high entropy can be an effective method of identifying potential DGAs. This technique looks for domain names that deviate from typical human-generated domain structures.

3. Natural language processing (NLP)

Some advanced detection techniques use NLP to differentiate between human-readable domains and those that are machine-generated. DGAs often produce domain names that lack coherence in terms of spelling, syntax, and readability, making NLP a valuable tool in DGA detection.

4. Blocklist and threat intelligence feeds

While blocklists alone are not effective against DGAs due to their dynamic nature, threat intelligence feeds can offer crucial insights. Intelligence feeds that track DGA patterns or known C2 infrastructures are essential for detecting and blocking domains associated with DGA activity before they are widely used.

5. Machine learning

Machine learning models that are trained on known DGA behaviors can recognize anomalous domain generation patterns (after all, if you know normal then you can spot anomalous). These models can detect both known and previously unseen DGAs by identifying underlying characteristics common across different algorithms.

Preventing DGAs

To prevent DGAs from compromising an organization’s security posture, several strategies should be employed:

1. DNS sinkholing

DNS sinkholing is a technique that redirects traffic destined for malicious domains (including DGA-generated ones) to a controlled server. This not only disrupts the communication between malware and its C2 infrastructure but also allows security teams to monitor and analyze the infected machines. This can be used in their threat intel feeds and be shared with the rest of the community as indicators of compromise (IoCs) and indicators of attack (IoA).

2. Blocklists with predictive algorithms

While traditional blocklists may not be sufficient against DGA domains, in theory, predictive algorithms can forecast the future domains a particular DGA will generate. Some organizations actively calculate future DGA domains and preemptively block them before they become active.

3. Proactive domain takedowns

When security teams or threat intelligence providers identify a DGA being used, working with domain registrars to take down entire swaths of DGA-generated domains can cripple the C2 infrastructure, at least temporarily. This is one more solid reason to use threat intel feeds and cooperate with industry peers to share information. We are truly better together.

4. Network segmentation

Network segmentation limits the east/west and north/south spread of malware that relies on DGAs. By isolating critical systems and restricting their access to external domains, organizations can reduce the attack surface and prevent lateral movement by infected devices.

5. Behavioral monitoring

Monitoring the behavior of endpoints and network traffic in real time can help detect DGA-based attacks. Unusual DNS queries, repeated access attempts to nonexistent domains, or outbound connections to known DGA patterns should trigger alerts for further investigation.

Protecting Organizations from DGAs

To protect against DGAs, organizations must adopt a layered security approach that combines threat intelligence, advanced analytics, and proactive defense mechanisms:

1. Comprehensive DNS security

Implement a DNS security solution (or a solution that includes DNS protection) that can monitor and block malicious domain queries, especially those tied to DGAs. Firewalls with DNS capabilities/protections with integration to real-time threat intelligence are key in this defense strategy.

2. Endpoint protection

Deploy endpoint detection and response (EDR) solutions that can detect malware behavior indicative of DGA usage. Modern EDR tools incorporate machine learning models to detect patterns associated with malware infections, including anomalous DNS activity.

3. Threat intelligence and collaboration

Engage with threat intelligence providers and industry peers to stay ahead of evolving DGAs. Sharing intelligence about emerging DGA families and associated domains can help proactively block DGA-related threats before they fully materialize. Find an Information Sharing and Analysis Center (ISAC) to get started sharing.

4. Regular audits and incident response

Regular audits of network activity, especially DNS traffic, are essential for early detection of DGA activity. In the event of an infection, having a well-defined incident response plan ensures timely containment and eradication of malware leveraging DGAs.

Conclusion

Domain generation algorithms are a potent tool in the malware author’s arsenal, allowing for resilient and evasive command-and-control operations. Detecting and preventing DGAs requires a combination of advanced detection techniques, proactive defense strategies, and continuous monitoring. By implementing a robust DNS security protection strategy and staying vigilant with threat intelligence, organizations can mitigate the risks posed by DGAs and better protect their infrastructure from this evolving threat.