The technique also is able to hide command-and-control (C&C) infrastructure, according to Damballa’s DGAs in the Hands of Cyber-Criminals - Examining the State of the Art in Malware Evasion Techniques report released at RSA this week.
The crimeware families are a variant of Zeus, Bamital, BankPatch, Bonnana, Expiro.Z, and Shiz.
“With the leak of the Zeus source code and expanding investment by criminal operators to hide and protect their C&C infrastructure, we should expect to see more DGA-based malware being used to deliver ever-increasingly stealthy attacks”, warned Gunter Ollmann, vice president of research for Damballa.
DGAs first made new with the outbreak of Conficker, Damballa explained. DGAs are relative simple but stealthy. Malware that has infected an endpoint device is programmed with an algorithm that uses a “seed” value, like the current date, to generate potentially hundreds of seemingly random domain names that all attempt to resolve to an IP address. Nearly all of the domain names will result in a "non-existent" domain message (NXDomain), the company explained.
Only one or a few will actually resolve to an IP address. The criminal operator, knowing the nature of the algorithm and the seed that will be used that day, will register only one (or a few) of the domains and have them resolve to his C&C infrastructure. The next day the cycle repeats. The domains used for the previous day’s connection are discarded, meaning the domain names are "thrown away," and even if detected, would be meaningless in stopping the threat or discovering the criminal C&C, Damballa added.
“While DGAs are not new, the rate at which they are being adopted and their ability to elude the scrutiny of some of the most advanced malware analysis professionals should be of great concern to incident response professionals”, added Ollmann.