Command and control servers (C2s) are a central part of malware campaigns - almost all malware families communicate with C2 servers to receive orders from the attackers controlling them. Threat actors go to great lengths to keep these servers up and running while law enforcement attempts to shut them down and security vendors strive to protect their customers from them. When C2 addresses were hard coded into malware it wouldn’t take long before the address was found, published and taken down or blocked. Today's reality is much more complex.
Many malware and ransomware variants use Domain Generation Algorithms (DGAs) for their C2 servers. DGAs are a class of algorithms that periodically and dynamically generate large numbers of domain names that are used for C2 communication. DGAs can generate tens of thousands of domains per day, making the C2s a constantly moving target. These domains are usually seed-based, meaning that the DGA generates random-looking character sequences followed by a chosen top level domain (TLD). For example, Conficker DGAs are made of 5-11 a-z characters, with one of the following top level domains: com, net, org, info, biz (conficker.a); cc, cn, ws, com, net, org, info, biz (conficker.b). Other malware families, such as Bigviktor, use a combination of words from a dictionary or from websites all over the internet. In this botnet’s case, the DGA is created from a combination of 3-4 words from four predefined dictionaries, appended with a variety of TLDs: art, click, club, com, fans, futbol, in, info, link, net, nl, observer, one, org, pictures, realty, rocks, tel, top, xyz.
(Picture courtesy of Akamai)
Blocking DGAs with DNS
To beat DGAs and get ahead of cyber attacks, you need to proactively block traffic to and from the daily-generated domains in real time. Blocking traffic at the DNS level allows users to block malicious domains from communicating with the network. ThreatSTOP’s DNS firewall does exactly that. Using the data provided by several threat intelligence sources, such as the Qihoo 360 research team and Farsight Security, we have constructed a number of target lists that protect our customers from DGAs.
To get an idea of the threat types using DGAs, here is a list of five prevalent malware families whose daily domain lists are constantly updated in our DNS firewall blocklists:
- Conficker (also: Downup, Downadup, and Kido) a computer worm that targets Windows. First detected in 2008, Conficker uses dictionary attacks and forms a botnet. When first discovered its purpose was unknown, it simply replicated between.
- Game Over ZeuS: (also: GOZ) successor to ZeuS, it uses encrypted P2P (based on Kademila) to communicate with its C2.
- Bamital: a family of malware that intercepts web browser traffic and prevents access to certain security-related websites by modifying the Bamital variants may also modify certain legitimate Windows files in order to execute their payload.
- Ramnit: a computer worm affecting Windows users. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. Today, this infection is estimated at 3,200,000 PCs.
- Symmi: (also: MewsSpy and Graftor) a family of malicious Trojan horses which pretends to be legitimate applications. Once compromised, it will try to connect to the internet and contact various different servers without the user’s knowledge, most likely to get commands from the attacker or to download more malware.
Read more on our DNS security solutions here.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?