Malware C2 communication using Domain Generation Algorithms

Many families of malware (such as those used in APTs), as well as botnets used for DDoS attacks, periodically contact their Command & Control server (C2) in order to receive instructions, downloads of updated code, or to exfiltrate stolen data. C2 servers can also be used to provide attackers remote access to a compromised system. If the malware developer hardcodes the domain name (or a static list of domain names) of the C2 server, then a security company could reverse engineer the malware code to discover the domain name. Security organisations could then blacklist the C2 domain or authorities could take it down, a process known as sinkholing. Once C2 traffic is blocked, the malware controller can no longer communicate with any of the malware installations, and cannot receive any data.

Malware has been effective in adapting to these measures to block C2 traffic. Attackers evolved to change the domain name every day, a process known as domain fluxing. The result is that the domain of the C2 is constantly changing, counteracting blacklisting and domain take down. One method to do this is for the attacker to incorporate a Domain Generation Algorithm (DGA) within the malware.

The first malware to use a DGA was Kraken in April 2008. Initial versions of Conficker, released in Nov 2008, generated 250 new domain names each day. To make it even more difficult to identify the C2 domain, by Feb 2009, later versions of Conficker pseudo-randomly generated 50,000 domain names each day. The malware controller would then register one or a few of these domains for his C2 every day. The domains are generally registered just before they are used (within the hour), and then only used for a day. Authorities would not know which of the 50,000 names would be used for the domain name that day, and it is unrealistic to preregister all 50,000 each day (before the attacker does).

The malware would not know which domain name(s) the controller would register each day, so it would attempt to contact random domains from the list of 50,000. Each day, the malware attempts to contact 500 of the 50,000 domains (1%) attempting to connect to the C2. Unsuccessful connections generate a Non-Existent Domain (NXDomain) response from the domain server.

If the malware controller registers only one new domain each day (from the list of that day’s 50,000 output from the DGA), each malware installation would have a 1% chance of making contact that day. In other words, on average, individual malware installations would successfully contact the C2 every 100 days. Increasing the number of domain names contacted by the malware installation increases the probability of a successful C2 connection. Also, the more domains actually registered by the controller each day, increases the probability of a successful C2 connection. DGAs are thereby effective in hiding the actual C2 domain and in maintaining persistent contact with the controller.

In addition to Conficker, many other malware families incorporate a DGA, such as Zeus GameOver, Dyre, Kraken, CryptoLocker, PushDo, Murofet, Chopstick and Nymaim.

In a further development, some DGAs generate two levels of domain names – weekly domain names and daily domain names. The malware then only uses the daily domain if it is unable to connect to the weekly domain. This two-tier system increases the probabilities of a successful C2 connection.

Constantly changing C2 domains means that blacklists, preregistering and domain takedown, are not very effective mechanisms of blocking C2 traffic. DGAs are increasingly being used by attackers in order to ensure they are able keep communication channels open.

Leave a Reply

%d bloggers like this: