DGA clustering and analysis: mastering modern, evolving threats

Botconf 2015
2023-04-28 | 12:40 – 13:00

Aliaksandr Chailytko 🗣 | Aliaksandr Trafimchuk 🗣 | Ron Davidson

Conficker was the first to introduce Domain Generation Algorithms to the malware world. Today’s modern malware practically use it as a basic building block.
Malware researchers have tackled this problem with various tools and techniques with varying degrees of success.
In this talk, we will present a method which allows us to analyze samples of a specific malware family that is utilizing a DGA technique. It works regardless of the DGA initialization vector and with no RE required – enabling a cluster based analysis. This method also automatically ranks potential sinkhole domains and allows analysis of the whole malware family, specific campaign, etc.
We will present the POC of our system and demonstrate its abilities on the Tinba malware family. This will include showing connections between different campaigns and compelling results. Most importantly, we will discuss how to utilize the outcome of the analysis in order to create smarter protections against similar malware.

Slides Icon


Paper Link Icon

Scroll to Top