The authors behind the Conficker variants experimented with a number of algorithms but, at the end of the day, they failed to construct a cohesive botnet. Despite that “minor flaw”, Conficker infected devices still account for a sizable fraction of known malware infections around the work – years after the threat was studied to death and detection/protection/cleanup solutions are available everywhere.
There were a few other malware families that briefly rode the coattails of Conficker – further refining the Domain Generation Algorithm (DGA) technique as a form of evasion against protection systems that relied upon blacklists, signatures and pseudo-signatures. But, after a few months, the threat had been largely forgotten.
“Forgotten” probably isn’t the right word. The Conficker Working Group is still tracking victims and hoping against hope to identify the masterminds behind the botnet should they ever attempt to set up a real C&C server and provide new instructions to the derelict zombie hoard they created. By “forgotten” (complete with quotes), what I refer to is a general complacency for the threat and the inability of today’s network protection systems and monitoring solutions to identify malware that makes use of DGAs.
The DGA threat was a technique uncovered by malware reverse engineers and rose to public attention because of the novelty of the method – rather than any advancement’s in detecting and mitigating the threat. DGAs are a pain – they’re supposed to be. They exist to defeat network detection and blocking technologies, and they did it really well. Today they’re doing it even better!
While DGA’s disappeared from a media perspective, they also disappeared from a threat protection perspective too. They disappeared largely because the badguys got better – not because they stopped using them or consigned them to history.
Damballa Labs released a report recently covering new DGA discoveries and global trends, as well as a blow-by-blow case study of one DGA-based crimeware campaign. Whilst I recommend that you read the reports yourself, there are a number of really important findings that you should pay attention to:
- DGAs aren’t dead. Instead, they’re being added to already-stealthy crimeware at an alarming rate.
- DGAs are being adopted as backup strategies. Even if the crimeware family is well known and it’s traditional C&C infrastructure is blocked or disabled (e.g. web filtering, firewall blacklists, etc.), the DGA fallback plan is kicking in and allowing the crimeware to receive new instructions and upload stolen data.
- C&C servers are becoming more agile. The criminal operators behind the DGA-based crimeware are exposing their C&C servers for the minimum amount of time. Domains are registered and DNS configurations are made “just in time” (i.e. a few minutes before the algorithm is supposed to call the domain), and the C&C servers are shut down and removed immediately afterwards – something that can be done within an hour.
- Dynamic analysis and auto-gen signature systems are failing. Automated systems that perform dynamic malware analysis on the DGA-based crimeware are producing irrelevant detection signatures. By the time the crimeware passes through the analysis and a signature is deployed for alerting/blocking, the crimeware family is already on to the next C&C server possibility.
While the addition of DGAs to already stealthy and advanced crimeware is a significant threat to corporate defenses, it should be noted that the processes now employed by their criminal operators concerning the registration of domain names, configuration of DNS, and addition/removal of C&C servers is equally advanced. Like a delicate ballet dance, professional cybercriminals are optimizing their deployments for the maximum gain and the lowest exposure.
That said, there are still ways of detecting both the employment of DGAs and their crimeware victims – and this can be done on a very large scale. Employing a number of novel techniques applied to DNS traffic, it is possible to automatically enumerate the threat. It’s not easy and bound to result in a number of patents, but it can be done – as hinted at in the Damballa Labs research report.
The obvious question: “If DGAs can now be detected, won’t the bad guys stop using them or modify them so they’re less detectable?” Well, it’s OK with me if the bad guys stop using them – but I doubt that that’s likely. The technique is stealthier than any other they have in their arsenal and will continue to work against the traditional/legacy network protection platforms for a long time to come. As for modification, there’s very little they can do beyond reducing the number of domains the algorithm tries per day (which makes it more susceptible to traditional blacklist approaches if they do), or they employ less randomness in their algorithms – which makes the approach less flexible and more cumbersome (which would slow down the detection of small botnets, and have no effect on large infection outbreaks).
In the meantime it looks like a sizable number of new DGAs have been hiding out there for the last year – undetected by the multitude of security vendors and researchers. I’m sure there are many more awaiting illumination.