DGArchive – A deep dive into domain generating malware
An observable trend in recent years of malware development is the increased use of Domain Generation Algorithms (DGAs). After having announced the project “DGArchive” in a lightning talk of last year’s Botconf, we would like to follow up with a full talk proposal for this year. The core idea of DGArchive is to create a high-coverage database of DGA domains. On the one hand, this allows time-independent checks on potential DGA domains, on the other hand, blocklists can be derived for network protection.
The presentation will feature an overview of all DGAs and Pseudo-DGAs that were reversed and reimplemented in order to enable calculation of their potentially malicious domains (40 families with 250+ seeds/campaigns, totalling to more than 20 million domains at the time of writing).
Based on the knowledge obtained in the process, we will present comparative metrics on the different DGA’s behaviour characteristics.
This includes features of domain generation strategy with regard to calculation method, potential time dependency, and domain validity periods or more general statistics such as number of domains per period, domain lengths, and TLD usage.
In cooperation with DomainTools, we present a case study on the registration status of the DGA domains we collect. The granularity of data supplied by DomainTools allows us to look deeper into usage and effectiveness of employing DGAs from a botmaster’s perspective.
Apart from looking into how many of the DGA domains are actually registered, we will outline collisions of DGAs (especially wordlist-based) with legitimate websites.
This part of the presentation will include a study on registration timing behaviour, providing better understanding of their management of time-based DGAs.
Additionally, looking at 100+ identified campaigns of TinyBanker, we will analyze the uptime of these campaigns and reaction times for mitigation, i.e. when domain control has shifted, e.g. from a botmaster to a sinkhole.