The new wave of 'undetectable' DGA threats

Gunter Ollmann Damballa

New families of crimeware are adopting domain generation algorithm (DGA) strategies in order to locate their fragile command and control infrastructure, purposefully evade blacklist-enabled protection systems, and making domain seizures and takedowns by law enforcement impractical. As DGA functionality quickly becomes a standard feature of crimeware DIY construction sets and each cybercriminal tunes the algorithm to their purpose, legacy network-centric detection and mitigation strategies are failing. Malware families such as Conficker, Murofet, Sinowal and Bobax are classic (albeit old) examples of the relative successes of DGA in thwarting perimeter filtering defences. Newer crimeware builds upon the lessons learned - optimizing the algorithms and distribution of control servers.

This paper dives in to the practicalities of DGA-based command and control discovery, outlines the problems facing static reputation systems and filtering technologies for which this evasion technique has been developed, and identifies a number of new techniques that not only identify the victims of DGA-based crimeware, but also distinguish between algorithms and criminal operators - with or without prior knowledge of the malicious binary or crimeware family.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.