#RSAC: Domain generation algorithm tricks used by 6 crimeware families to carry out attacks

Six crimeware families are using some new algorithm tricks to escape detection as they carry out global attacks, according to findings from security company Damballa Inc.

The crimeware families are a new Zeus variant, Bamital, BankPatch, Bonnana, Expiro.Z and Shiz. The crimeware has been evading detection because cyber criminals are rapidly adopting domain generation algorithms (DGAs). This technique is being used to completely evade detection by blacklists, signature filters, and static reputation systems and to hide command-and-control (C&C) infrastructure. DGAs are also referred to as a form of Domain Fluxing, Damballa says. 

The eight-page Damballa research report describes, among other things, how BankPatch used DGAs to evade detection for approximately two years. Without having to reverse engineer malware or decode the DGA algorithm, Damballa Labs says it figured out how to automatically detect and model DGA behavior using patent-pending machine-learning technology.

The company also released a detailed analysis of a recent variant of the Zeus version 3 malware, and, for the first time, provided details on its use of DGAs as a secondary connection technique when the primary connection attempt is blocked or fails (the primary connection technique being peer-to-peer). 

 “While DGAs are not new, the rate at which they are being adopted and their ability to elude the scrutiny of some of the most advanced malware analysis professionals should be of great concern to incident response professionals,” Gunter Ollmann, vice president of research for Damballa, said in a statement. “We have found that the security community as a whole has insufficiently or only partially analyzed the network behaviors of DGA-capable malware. For one, some advanced malware is using DGA as a secondary connection technique when the primary technique, let’s say peer-to-peer, has failed. Those charged with protecting the enterprise that have detected or blocked the obvious primary connection technique have failed to counter the back-up technique, and the malware can then successfully locate the C&C using DGAs.”

DGAs first made major news with the outbreak of Conficker. Since that time, the DGA techniques have significantly advanced and are now being adopted by some of the more stealthy threats and by criminals desperately seeking to avoid attribution.

According to the Damballa report, "The concept of DGAs is simple enough, but incredibly stealthy. Malware that has infected an endpoint device is programmed with an algorithm that uses a ‘seed’ value, like the current date, to generate potentially hundreds of seemingly random domain names that all attempt to resolve to an IP address. Nearly all of the domain names will result in a ‘non-existent’ domain message (NXDomain). Only one or a few will actually resolve to an IP address. The criminal operator, knowing the nature of the algorithm and the seed that will be used that day, will register only one (or a few) of the domains and have them resolve to his C&C infrastructure. The next day the cycle repeats. The domains used for the previous day’s connection are discarded, meaning the domain names are ‘thrown away,’ and even if detected, would be meaningless in stopping the threat or discovering the criminal C&C."