blog.malwarebytes.com
Open in
urlscan Pro
130.211.198.3
Public Scan
URL:
https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/
Submission: On April 27 via api from US — Scanned from DE
Submission: On April 27 via api from US — Scanned from DE
Form analysis
3 forms found in the DOM<form><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>
GET
<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>
//www.malwarebytes.com/newsletter/
<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>
Text Content
Who doesn't like cookies? We use cookies to help us enhance your online experience. If that sounds good, click “Accept All Cookies” or review our Privacy and Cookie Policy. Close Accept All Cookies * Your Privacy * Strictly Necessary Cookies * Performance Cookies * Functional Cookies * Targeting Cookies * More Information Privacy Preference Center Active Always Active Save Settings Allow All The official Malwarebytes logo The official Malwarebytes logo in a blue font B We research. You level up. Personal Personal * Security & Antivirus * Malwarebytes for Windows * Malwarebytes for Mac * Malwarebytes for Chromebook * Malwarebytes Browser Guard * Overview * Security & Antivirus for Mobile * Malwarebytes for Android * Malwarebytes for iOS * Online Privacy * Malwarebytes Privacy VPN * Get Started * Explore all Personal Products * Explore Pricing * FREE TRIAL OF MALWAREBYTES PREMIUM Protect your devices, your data, and your privacy—at home or on the go. Get free trial Business Business Solutions * BY COMPANY SIZE * Small Business 1-99 Employees * Mid-size Businesses 100-999 Employees * Large Enterprise 1000+ Empoyees * BY INDUSTRY * Education * Finance * Healthcare * Government Products * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES * Endpoint Protection * Endpoint Protection for Servers * Endpoint Detection & Response * Endpoint Detection & Response for Servers * Incident Response * Malware Removal Service * Nebula Platform Architecture * CLOUD-BASED SECURITY MODULES * Vulnerability & Patch Management * Remediation for CrowdStrike® * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS * For Teams * Get Started * * Find the right solution for your business * See business pricing -------------------------------------------------------------------------------- * Don't know where to start? * Help me choose a product -------------------------------------------------------------------------------- * See what Malwarebytes can do for you * Get a free trial -------------------------------------------------------------------------------- * Our team is ready to help. Call us now * +1-800-520-2796 Pricing Partners Partners * Explore Partnerships * Partner Solutions * Resellers * Managed Service Providers * Computer Repair * Technology Partners * Partner Success Story * Marek Drummond Managing Director at Optimus Systems "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected." * See full story Resources Resources * Learn About Cybersecurity * Antivirus * Malware * Ransomware * See all * Malwarebytes Labs * Explore * Business Resources * Reviews * Analyst Reports * Case Studies * See all * Press & News * Learn more * Events * Featured Event: RSA 2021 * See Event Support Support * Technical Support * Support * Premium Services * Forums * Vulnerability Disclosure * Training for Personal Products * Training for Business Products * Featured Content * Activate Malwarebytes Privacy on Windows device. * See Content FREE DOWNLOAD CONTACT US COMPANY Company * About Malwarebytes * Careers * News & Press SIGN IN Sign In * My Account * Cloud Console * Partner Portal SUBSCRIBE Save 25% on Your First Year of Cloud-Based Business Security See Offer > Security world | Technology EXPLAINED: DOMAIN GENERATING ALGORITHM Posted: December 6, 2016 by Pieter Arntz Domain Generating Algorithms are in use by cyber criminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time. A Domain Generating Algorithm (DGA) is a program or subroutine that provides malware with new domains on demand or on the fly. HISTORY Kraken was the first malware family to use a DGA (in 2008) that we could find. Later that year, Conficker made DGA a lot more famous. WHAT’S THE USE? The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals. An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data. The constant changing of the domain for the C&C server is also sometimes called “Domain Fluxing” or “Fast Fluxing”, which actually is a reference to an older technique based on abusing the DNS load balancing system. MORE DETAILS ABOUT HOW IT WORKS To better understand how these algorithms work, let’s look at the requirements they have to fulfill: * The routines have to generate domains that are predictable to both sides of the communication chain. * The routines have to be as unpredictable for security researchers as possible. * The domain registration fee has to be low, given the huge amounts of domains that will be used. * The need for speed can be enormous. * The registration process has to be anonymous or at least untraceable. To achieve predictability, yet remain hard to research, the DGA routines use a few building blocks: * Seed, the base element * An element that changes with time * Top Level Domains (TLDs) Image courtesy of Cisco Blog The seed can be a phrase or a number. Practically anything that the threat actor can change at will (e.g. when they switch to a new version), and that can be used in an algorithm. The seed and the time-based element are combined in an algorithm to create the domain name and this “body” will be combined with one of the available TLDs. Note that a time-based element need not be something like the date and time. It can be something else that varies with time, like for example the trending topic on Twitter in a certain country at the moment of the connection. Actually, something that is difficult to predict is preferred, as this makes it harder for researchers to register certain domains ahead of time and intercept traffic or do a takeover. Another trick to throw off countermeasures is to not use all the domains that the algorithm produces, but only certain ones. This will drastically increase the number of domains necessary to register by researchers if they plan to intercept the traffic. When it comes to TLDs, .xyz, .top, and .bid are very popular at the moment. This is due to the reasons mentioned earlier: low costs and quick availability, because the registrars allow automated and anonymous domain registrations. SUMMARY Domain Generating Algorithms are in use by cybercriminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time, so they will be able to exchange information or fetch instructions. LINKS For more technical details, we can recommend: Dissecting Domain Generation Algorithms And an example: Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA Pieter Arntz RELATED Zloader, another botnet, bites the dustApril 14, 2022In "Botnets" [Updated] Infected CCleaner downloads from official serversSeptember 18, 2017In "Business" Encryption 101: a malware analyst’s primerFebruary 20, 2018In "Threat analysis" SHARE THIS ARTICLE -------------------------------------------------------------------------------- COMMENTS LEAVE A REPLY You must be logged in to post a comment. Click here to login or connect a social media account to leave a comment. -------------------------------------------------------------------------------- RELATED ARTICLES Reports FIRED BY ALGORITHM: THE FUTURE’S HERE AND IT’S A ROBOT WEARING A WHITE COLLAR June 29, 2021 - A Bloomberg investigation has revealed that Amazon Flex drivers are being evaluated, and in some cases fired, by algorithms. CONTINUE READINGNo Comments -------------------------------------------------------------------------------- ABOUT THE AUTHOR Pieter Arntz Malware Intelligence Researcher Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books. Contributors Threat Center Podcast Glossary Scams Write for Labs CYBERSECURITY INFO YOU CAN'T DO WITHOUT Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats. Imagine a world without malware. We do. FOR PERSONAL FOR BUSINESS COMPANY ABOUT US CAREERS NEWS AND PRESS MY ACCOUNT SIGN IN CONTACT US GET SUPPORT CONTACT SALES 3979 Freedom Circle, 12th Floor Santa Clara, CA 95054 One Albert Quay, 2nd Floor Cork T12 X8N6 Ireland English Legal Privacy Accessibility Terms of Service © 2022 All Rights Reserved Select your language * English * Deutsch * Español * Français * Italiano * Português (Portugal) * Português (Brasil) * Nederlands * Polski * Pусский * 日本語 * Svenska Cybersecurity basics Your intro to everything relating to cyberthreats, and how to stop them. Loading Comments... You must be logged in to post a comment.