"DGA: The Invisible Code" (How Malware Eludes Detection)

(To Bruno Riccio)
26/09/24

Il Domain Generation Algorithm (DGA) is a technique used by cyber criminals to automatically create a series of domain names (the addresses we use to access websites). This technique is used to facilitate communication between the malware and the server from which it receives instructions, called Command and Control Server (C2).

To put it simply: it's as if the malware changes its front door every day, making it more difficult for antivirus or defenders to stop it.

Why is it so relevant?

This strategy represents a turning point in the field of cybersecurity, as it allows attackers to avoid detection and mitigation by traditional security measures. While in the past malware relied on static domains (a domain name fixed and predetermined which is inserted into the malware code), or hardcoded IP addresses (similar to a static domain, but instead of a domain name, the malware contains a specific IP address hard-coded into its code, which is always fixed and predetermined) to communicate with their C2 servers, the adoption of DGAs has introduced a wildcard of unpredictability which makes it much more difficult for the intervention by the blue teamDynamically generated domains are always new, which allows attackers to quickly replace compromised or blocked domains while maintaining active communications with the malware. DGA-based attacks are defined as an evolution of the techniques of “evasion”. These algorithms can generate thousands of domain names every day, each of which can be used to establish a connection with the C2 server, thus ensuring continuous operation even in the event of blocks or seizures of known malicious domains. This approach provides cybercriminals with a strategic advantage, as it becomes much more complicated for traditional defenses, such as firewalls or DNS filtering systems, to block communication attempts. One of the most critical aspects of this technique is its ability to maintain persistence on compromised networks. DGA not only allow cybercriminals to quickly adapt to the countermeasures adopted by victims (be they companies or individuals), but also make it difficult for authorities to completely sever communications between the malware and C2 servers: attackers can maintain control of their botnets even after some of their infrastructure has been dismantled. In a context where cyber threats As they become increasingly sophisticated and difficult to detect, DGAs represent one of the most significant challenges for cybersecurity professionals.

What is it about?

The functioning of the DGA is based on the use of predetermined algorithms that generate new domain names according to an internal logic1. Domains can be generated using a variety of parameters, such as the current date and time, random strings, or predefined seeds. This way, attackers (but not victims) can anticipate the domains that will be generated by the malware in a certain time window, registering them in advance. Once the domain is registered, the command and control server can establish communication with the infected machines and send new commands, updates or payloads.

The generated domains may appear innocuous or completely random. For example, malware may generate domains like abc123.net, xyz789.it, or italia.it every day, creating thousands of possible variations. This approach allows malware to evade traditional DNS filtering methods, since the variety and volume of domains makes it impossible for security teams to block them all preemptively. In many cases, the cybercriminals They only use a small portion of the generated domains, making it difficult for security solutions to predict which of these domains will actually be used for communication.

An interesting aspect of the DGA is that their implementation can vary significantly. Some malware uses simple algorithms that generate domains from a small set of parameters, while others use more complex approaches that incorporate variables such as time zone, infected machine hardware, or even current weather conditions. These factors make DGAs an extremely flexible technology that can be adapted to a variety of operational contexts.

Example diagram of the malicious domain generation process.

Procedural scheme of a DGA attack

In the DGA attack the malware executes the algorithm whenever which must establish a connection with the command and control server (C2). This process occurs in three main phases:

  1. Input parameters: Definition of the “mathematical” criteria thanks to which the constant generation of domains occurs.

  2. Generate domain list: Once the parameters have been processed, the algorithm creates a list of domain names. The length of the list varies, but in many cases it can contain hundreds or thousands of domains.

  3. Attempting to connect: The malware tries to connect to one of the generated domains. If the connection is successful, the malware can receive new commands or download updates from the C2 server. If the domain has been blocked or has not yet been registered by criminals, the malware will repeat the process with another generated domain until the connection is established.

Even though DGAs are based on “pseudo”randomly generated domains, theAI (artificial intelligence) is enabling the generation of domains based on real words, creating domain names that appear legitimate, thus increasing the chances of the domains being ignored by filtering systems.

Purpose and objectives of DGA attacks

One of the main goals of DGA-based attacks is ensure persistence in compromised networks. Even if some of the attackers’ infrastructure is disabled, the malware continues to operate by generating new domains. This allows criminals to maintain control of the compromised network, sending commands or receiving stolen data.

Another purpose is evade security systems. Traditional detection methods rely on static patterns, such as domains or known IPs, which are blocked once detected. With DGA, however, so many new domains are generated that it becomes impossible to block them all in time. Even if one is discovered, many others replace it.

DGAs are also used for distribute malware. They allow botnets and ransomware to maintain constant communication with C2 servers, through which attackers send new payloads, updates, or commands. For example, a botnet can receive instructions on which targets to attack or which data to steal.

DGA Attack Example: “Conficker”

One of the most dangerous malware that uses the DGA it was without a doubt Conficker2. First released in 2008, Conficker was one of the worm, self-replicating malware through interconnected networks, (like biological viruses) the most widespread and difficult to eradicate in the history of computer security.

Here are the characteristics that make it one of the most insidious:

Sophisticated use of DGA: Conficker is known for using a highly effective DGA. Each day it would generate a large number of domains (up to 50.000) that the malware could use to connect to command and control servers. This made it difficult to block or disable the malware's command infrastructure, as the domains were constantly changing and it was not possible to anticipate all of them.

Persistence and resilience: Conficker used encryption techniques and rootkits to hide from security software and prevent removal. It could also disable security updates and block access to security sites, making it difficult for infected users to protect their systems.

Modularity: Once connected to the C2 server, Conficker could download and execute malware updates or install new payloads, making it a highly versatile attack platform.

Part of the difficulty in removing a Conficker infection lies in its ability to block access to security and antivirus-related websites. Additionally, the functionality Autorun on the systems Windows, enabled by default, allowed for easy propagation and execution when a CONFICKER-infected USB stick was plugged into an uninfected computer. To further complicate matters, a significant number of machines were not patched for various reasons: some were piracy, others were legacy systems running old programs supported only by older versions of Windows. The Conficker infection highlighted many security issues that were subsequently actively addressed with updates in newer Windows operating systems. It also highlighted the need for regular patching and improved management of legacy systems, especially those connected to the corporate network.

Malware like I miss you3 have exploited DGA to distribute ransomware, banking Trojans, and launch mass spam campaigns, demonstrating how versatile and dangerous this type of attack can be. To protect systems from such threats, it is essential to implement advanced security solutions, such as network traffic analysis, proactive blocking of suspicious domains, and the use of machine learning techniques to identify behavioral patterns typical of DGA. The evolution of botnets and techniques such as DGA requires continuous updating of defenses and cooperation between law enforcement and security researchers to effectively mitigate these threats.

In conclusion, attacks based on Domain Generation Algorithm (DGA) are a complex and sophisticated threat in the cybersecurity landscape. DGA allows malware to dynamically generate domain names to communicate with command and control (C2) servers, making it extremely difficult for defenders to block such connections. This mechanism makes malware equipped with DGA more resilient, since even if domains are detected and blocked, the algorithm continuously creates new ones, ensuring the persistence of the infection.