Domain generation algorithm

Domain Generation Algorithm are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendez-vous point with their controllers. The large number of potential rendez-vous points makes it difficult for law enforcement to effectively shut down botnets since infected computers will attempt to contact some of these domain names every day to receive updates or commands. By using public key cryptography, it is unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not signed by the malware controllers.

For example, an infected computer could create thousands of domain names such as: www.aopwn47cn38vm1c5c.com and would attempt to contact a portion of these with the purpose of receiving an update or commands.

The technique was popularized by the familly of worms Conficker.a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving a infected machine a 1% possibility of being updated every day if the malware controllers registered only 1 domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day.

Recently, the technique has been adopted by other malware authors, and is present in the Srizbi botnet. A DGA module is also available for the Zeus

• Botnet
• Conficker
• Zeus botnet
• Srizbi botnet

• An analysis of Conficker
• Authors Expand Use of Domain Generation Algorithms to Evade Detection, PC World
• Algorithimically Generated Malicious Domain Names

1. Criminals Defend Their Rogue Networks, Abuse.ch
2. DETAILS OF SRIZBI'S DOMAIN GENERATION ALGORITHM
3. [1]