White Paper

DGAs in the Hands of Cyber-Criminals

Examining the state of the art in malware evasion techniques
In recent years, Domain Generation Algorithms (DGA) have evolved from a proof-of-concept technique, capable of bypassing legacy static reputation systems (e.g. Domain Blacklists), into full-featured stealth modules embedded within an increasing number of todays most advanced and evasive commercial crimeware toolkits. DGAs are also referred to as a form of domain fluxing. Instead of relying on a static list of command-and-control (C&C) domains being distributed with the crimeware agent or waiting for new configuration file updates in order to locate additional C&C servers, a growing number of crimeware families now employ DGA-based systems designed to dynamically hunt for probable C&C locations. Over the last 12 months, Damballa Labs has discovered advanced evasion techniques being used by six crimeware families. These techniques appear to be used by dozens of separate cybercrime organizations. Many of these criminal organizations continue to evade popular host and network-based defenses. The commercial crimeware toolkits that now include DGA modules allow cybercriminals to tune and personalize their DGA algorithms - allowing per-botnet DGA capabilities and offering increased resiliency against static reputation defensive systems.

Of the multiple new DGAs uncovered by Damballa Labs, six could be attributed to known (but previously poorly studied) crimeware families. These crimeware families are Shiz, Bamital, BankPatch, Expiro.Z, Bonnana, and a recent Zeus variant.

New discovery techniques pioneered through joint research between Damballa Labs, Georgia Tech and the University of Georgia have revealed the extent of this new threat. Some of the newly confirmed DGA-based crimeware families have been in operation and evading network defenses since at least November 2011. Using this new detection technology, as of February 2012, Damballa Labs has also identified up to six additional families of DGAs, which are yet to be conclusively associated with community-captured crimeware binaries. Research report highlights: Six new crimeware families were identified as employing DGAs for evasion purposes. Six additional DGAs have been uncovered that have yet to be associated with any previously known or captured crimeware samples. The C&C servers supporting modern DGA crimeware are predominantly located in Eastern bloc countries. The most frequently abused top-level domains (TLDs) are .com, .ru and .org. Cybercriminals have registered their C&C domain(s) less than an hour before they are candidate domains for DGAs and disposed of them within 24 hours.

What are DGAs?

Botnets and other remotely-controllable crimeware must be able to locate and connect to a remote server in order to receive new commands and transfer stolen data. Traditional classes of malware tend to be distributed with a short list of hard-coded domain names or IP addresses relating to C&C servers that the malware will attempt to connect to once it has been successfully installed on the victim's computer. In most cases, the malware will cycle through the list until it finds a "live" C&C server. A longer list of candidate C&C servers provides more resiliencies against takedowns and Internet filtering technologies. Embedding a static list of C&C candidates within malware poses problems for cybercriminals should the malicious binary eventually be captured and analyzed by security vendors and analysts. To overcome this frailty, the majority of modern malware (i.e. crimeware) has turned away from hard-coded lists and is designed to regularly update configuration files with new C&C candidate information.
www.damballa.com Page | 1

White Paper
While offering increased resiliency, crimeware reliant on configuration updates is still vulnerable to timely analysis and C&C takedown. In response, cybercriminals have designed algorithms that, given a particular date, time and seed value, will produce and then test a number of candidate domains and determine whether a C&C server is listening. One of the earliest and most analyzed DGA-based crimeware families is that of Conficker (aka Downup, Downadup and Kido). Originally detected in late 2008, Conficker.A employed a pseudorandom DGA that selected 250 candidate domains from five possible top-level domains (TLDs). By early 2009, the fourth variant, Conficker.D, randomly selected and tested 500 candidate domains of a possible 50,000 generated domains spread over 110 TLDs each day. Since then, the algorithms used by the various DGA-based crimeware have diversified and become more efficient at locating their hidden C&C servers. The purpose of a domain generation algorithm is to: Make it impossible for static reputation systems to maintain an accurate list of all possible C&C domains. Allow the cybercriminals to evade perimeter based network filtering technologies. Maintain a small but agile physical C&C infrastructure that only needs to be configured and turned on for short periods of time. Provide "just-in-time" registration of domain names to avoid reactive counter-measures and law enforcement. Allow crimeware agents to propagate and establish a large infection base without exposing the C&C infrastructure.

Studying the DGA Epidemic

Researchers from Damballa Labs, in collaboration with Georgia Tech and the University of Georgia, invented a number of technologies capable of detecting DGA-based crimeware installations and successfully enumerating the cybercriminals infrastructure associated with their C&C hosting. For the last year, Damballa Labs researchers have been employing these techniques to ascertain the true extent of this new category of threat. Utilizing Damballa's extensive global visibility of DNS traffic, Damballa Labs identified key characteristics of DGAbased crimeware deployments. One of the key detection attributes for crimeware that employs a DGA to find live C&C servers, rests in its failure - in particular, its daily production of unsuccessful DNS resolutions for nonexistent domain names. These nonexistent domain name responses (referred to as "NXDomains" in the remainder of this paper) have proven to be a reliable detection feature for DGA usage.

DGA Detection and NXDomains in Very Large Networks

On any random day, a high percentage of DNS traffic contains NXDomain responses and is mostly benign. Nonexistent domain lookups are a common and normal occurrence due to factors such as fat-fingered typing, domain prefetching, outdated domain records, network configurations, etc. The following figure illustrates NXDomain traffic observed at one regionalized location (containing about 2.5 million subscribers) within a large Internet service provider (ISP) over a period of three months. Graph (a) illustrates the daily volume of non-deduplicated NXDomains (i.e. the raw volume of responses). Graph (b) illustrates the daily volume of unique NXDomain responses.

www.damballa.com

Page | 2

White Paper

Figure 1: NXDomain traffic from a large ISP over a three month period.

The irregular and sizable volume of NXDomain traffic ensures that signature or rule-based detection systems that attempt to identify previously studied and dissected DGA crimeware communications will fail and likely generate significant rates of false positive alerts. In order to study the nature of the threat, Damballa research initially focused on the thousands of Murofet (an old, well-known and extensively studied crimeware family that employs an early generation DGA) infected devices within the 2.5 million subscriber network segment. Damballa Labs found that 90% of Murofet victims generate more than 10 NXDomains per day, meanwhile 92% of all devices within the network create less than 10 NXDomains per day. DGAs by their very nature must generate a statistically significant number of pseudo-random domain names in order to evade static reputation and domain blacklist detection systems, and yet the number of possible domain names the crimeware must actively attempt to locate and connect to must be finite and manageable for the cybercriminal. Damballa Labs made use of unsupervised and supervised machine learning techniques to dynamically track candidate DGAs based on two key properties - the structural properties of NXDomain names and the association between "herds" of devices generating groups of NXDomains. Damballa Labs then employed previously proven techniques to "learn" new statistical models that describe any new DGA clusters that were automatically discovered without needing to obtain samples of the crimeware nor gain knowledge of the particular algorithm employed by the DGA.

www.damballa.com

Page | 3

White Paper
DGA Usage and Infections
A growing number of crimeware families employ DGA-based techniques as either their primary or secondary evasion strategies. The majority of previously well-studied threats such as Conficker, Murofet, Bobax and Sinowal employ DGAs as their primary network evasion technology. Meanwhile, Zeus variants are now utilizing DGAs as backup strategies for locating their respective C&C servers should their static lists and other connection methods be defeated by enterprise network protection technologies. Of the multiple new DGAs uncovered by Damballa Labs, six could be attributed to known (but previously poorly studied) crimeware families. These crimeware families are Shiz, Bamital, BankPatch, Expiro.Z, Bonnana, and a recent Zeus variant. Crimeware that employs DGA evasion technologies tends to be used by the larger "professional" cybercrime organizations and is generally more advanced than the average malware encountered by Internet users and today. However, this does not imply that its usage is limited or of a smaller scale. The top-5 largest DGA-based crimeware families of 2011 were: Top-5 Most Prevalent DGA-based Crimeware Families 1 2 3 4 5 Conficker (all versions combined) Murofet BankPatch Bonnana Bobax

Damballa Labs also discovered that a new Zeus variant (not present in the Top-5 Most Prevalent DGA-based Crimeware Families) employs DGA-based evasion techniques as a secondary strategy, as a back-up plan when the primary connection technique fails (in this case using peer-to-peer). It was also found to have infected several hundred devices by the first half of February 2012 and continues to grow. The variant is distributed as part of various infection campaigns. This new Zeus botnet is the focus of a separate Damballa Labs DGA Case Study.

C&C Infrastructure
Cybercriminals that add DGA capabilities to their crimeware ensure that the C&C infrastructure can be hidden from both security researchers and law enforcement until a specific date and time at which time any crimeware infected devices will automatically locate, connect, upload stolen data, and receive a new batch of commands. Once complete, the cybercriminals can then disengage their C&C from the Internet making it impossible for law enforcement to obtain access to the servers. Through its continuous enumeration of victims of the newly identified DGA-based crimeware, Damballa Labs was able to track the C&C infrastructure for six related botnets. Despite the agility offered by DGA systems at the domain name registration level, Damballa Labs was able to identify the IP hosting infrastructure.

www.damballa.com

Page | 4

White Paper
The following table lists the top-5 countries hosting the C&C servers used by these half-dozen DGA-dependent botnets. Top-5 Countries Hosting DGA-based Crimeware C&C UA Ukraine RO Romania RU Russia HU Hungary TR Turkey 22 servers 17 servers 16 servers 14 servers 12 servers

Most Abused TLDs

The pseudo-random domain generation algorithms employed within modern crimeware do not need to be particularly sophisticated, merely good enough and unpredictable. While much of a generated domain name may be random, it must still be compatible with the existing DNS hierarchy, which means TLDs must be assigned from a list of legitimate candidates (e.g. .com, .net, .co.uk, etc.). Because these TLDs must be legitimate and the domain name itself must be correctly registered by the cybercriminal in order to be used for C&C purposes, the popularity of TLDs employed by DGAs tends to reflect the ease of which they can be obtained. The top-5 most abused TLDs, based on passive observations of NXDomain responses associated with the new crimeware variants Damballa Labs identified are: Top-5 Abused TLDs by DGAs .com .ru .net .biz .org 3,2974,31 460,567 38,382 37,783 36,573

Rapid Domain Registration

Damballa Labs has discovered some cybercriminals that employ DGAs tend to register their C&C domain and configure DNS an hour or less prior to the DGA generating the domain. They close the domain and shift their C&C server within 24 hours of the DGA generating the domain.

Summary
DGAs are being adopted by criminal operators at a growing rate due to the certainty that they can evade all blacklists, signature filters and static reputation systems. They are specifically being adopted by criminals who want their campaigns to be especially stealthy. There is more work involved for the criminal operator to maintain a DGA-based crimeware network, but there is also a much better chance that they will go completely undetected and that their C&C infrastructure will remain intact.

www.damballa.com

Page | 5

White Paper
With the leak of the Zeus source code, we should anticipate more and more variants, similar to Zeus, using DGA, as a primary or a back-up connection technique. An example uncovered by Damballa is highlighted in the related Damballa Labs DGA Case Study. Damballa has found that for most of the DGA-based threats that we have uncovered, the malware eventually associated with the DGA activity has been insufficiently (or only partially) analyzed by the security community. Either the DGA capabilities were missed all together because DGA is being used as a secondary connection technique when the primary connection technique fails (e.g. static lists or peer-to-peer), or the successful domain connections for that day were misconstrued to be the C&C infrastructure. It is very interesting to note that the multiple variants listed in this report are designed to steal similar information. This could be because the domain names can be very short lived, therefore hard to observe during malware analysis, especially in the absence of passive DNS data and related analysis capabilities. This would make attribution to the criminal operators very difficult. And if the attackers also segment the infected population and have different domain names active for different time zones, then this becomes even harder for the analysts. For all the reasons stated in this report, criminal DGAs are going largely undetected by the security community and most certainly by the enterprise customers they aim to protect. Damballa Labs has been monitoring this trend for years and has developed patent-pending technologies specifically designed to identify these threats in their early days, long before the malware has been discovered and analyzed by the security community. These inventions are now providing automated detection capabilities for our customers - rapidly detecting and pinpointing devices infected with DGA-based malware, automatically classifying the malware family (without having to see the malware or infection), and providing attribution for the threat. About Damballa Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal corporate data and intellectual property, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa protect networks with any type of server or endpoint device including PCs, Macs, Unix, smartphones, mobile and embedded systems. Damballa customers include mid-size and large enterprises that represent every major market, telecommunications and Internet service providers, universities, and government agencies. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com

Copyright 2012, Damballa Inc. All rights reserved worldwide

ID.30.109.0223

www.damballa.com

Page | 6