Brief: Domain Generation Algorithms
Date : December 08, 2016
Security researchers observed at the beginning of December sophisticated variants of Mirai having implemented Domain Generation Algorithms (DGA).
This brief describes this feature.
The architecture of several botnet consists of connected computers or devices that have been compromised and that communicate with a C&C (Command and Control) server which commands them, or harvests stolen data.
In order to fight botnets, a simple technique used by security software is to identify the domain names of these malicious servers to detect compromised devices and to block communications with these servers.
To bypass this defense, sophisticated malware families use Domain Generation Algorithm (DGA) that dynamically provide domain names that can be predicted by the botnet manager. These domain names are numerous and of short-lived (more than 10,000 generated per day) in order to render ineffective the techniques based on a blacklisting of the C&C servers.
For more information:
- Trend Micro article: Why Domain Generating Algorithms (DGAs)?
- Cisco Umbrella blog: Domain Generation Algorithms – Why so effective?