Malware – Domain Generation Algorithm (DGA)

Ask anyone in the incident response community and they will tell you the malware analysis is becoming a large part of their day-to-day activities. Malware seems to be everywhere and they are getting smarter and more effective. Generally malware behave predictably, they infect the system, drop files, make changes to the registry settings to be persistent, connect back to command and control (C&C) server and perform exfiltration activities on the system by stealing confidential data. The malware analysis process provides in-depth information on such activities. Once a understanding is achieved on the activities of a particular piece of malware organizations can then take necessary actions to protect their networks.  Steps taken include blocking the malicious IPs being used by the malware and also by creating the indicators of compromise (IOCs) to help further in the forensics and incident response activities.

Here is an example of a recent investigation we performed.   A user received a phishing email with an attached Word document file.

malware1

The user not only opened up the email but also clicked on the attachment to view the document. Once our team was alerted we began the triage process.  We captured the malware sample from the infected system and brought it to our lab for analysis.

The lab environment includes a system running with Cuckoos sandbox, the malware sample was uploaded and the report was generated. The Cuckoo sandbox report is divided into the following sections:

  • Quick overview
  • Static analysis
  • Behavior analysis
  • Network analysis
  • Dropped files

The sandbox analysis of a malware sample provided a lot of information on the design and function of this piece of malware. However, this type of analysis does not always provide the most comprehensive and in-depth analysis.  The real fun begins when we actually executed the malware in a virtual machine and sent all the traffic to a DNS sinkhole.

For DNS sinkhole we installed and setup the FaketNet tool that helps in the dynamic analysis of the malicious software. This tool simulates a network and captures the traffic generated by the malicious software/malware.  The tool is highly configurable and by default it listens to and captures the traffic on port 80 as well as on DNS port 53. The following screenshot of FakeDNS tool shows the traffic generated by the examined malware which is trying to connect to IP addresses that were hard-coded in the malware for C&C server.

malware2

So far the behavior of the malware was as expected, it was trying to make connection to the C&C server.  This is nothing out of the ordinary for malware. We let it run for a while, but then we observed something we have not seen before, the FakeNet was showing connection attempts to some strange domain with random long names and there were numerous variations and requests.

malware3

FakeNet also generates a PCAP file; we opened the file in WireShark and filtered for DNS traffic and it shows all the connection attempts made to the random domains. The malware was intelligent, first connecting to bing.com to ensure network connectivity.

malware4

The question is why there were so many randomly generated domain names?  A little research revealed that it is because of domain generation algorithm (DGA). Malcious hackers have incorporated this algorithm into their malware to counter the network blocking devices where the static C&C IP addresses and domain names are being blocked by the organizations and law enforcement officials.

The new breed of malware with DGA periodically generates these domain names and waits for when the C&C responds backs.  But how does a hacker know which domain names he should register out of so many? The answer is, hackers are aware of the pattern in the algorithm and know exactly which domains are being generated once the malware is executed. In order to have a successful connection to C&C the malware must have one or two of these randomly generated domain registered, as soon as that registered DNS name is generated by the malware using DGA, the connection is established to C&C .

At this point in time there is not one comprehensive enterprise solution in available that detects and prevents against this type of sneaky and very clever way of circumventing the static blocking of IPs and domains used by the malware. Hopefully this post gives you an idea of what you can look for when examining malware.