Adoption of DGAs towards Escaping Detection
Malware generators are switching over to flexible domain generation algorithms (DGAs) to avoid the detection and avert their botnets from being put off by security experts or even the law enforcement agencies, reports COMPUTERWORLD on February 27, 2012.
Literally, DGAs are commonly employed as a technique to dispense instructions to the compromised computers in the absence of hard-coded command and control (C&C) servers. Each day, the algorithm creates a list of exclusive pseudo-random domain names. As such, it can be specified that the botnet was employed to support the clients in receiving commands, when the primary servers become unreachable.
A comprehensive knowledge base of the malware is only possible from the compilation of the algorithm. The information compiled from the algorithm is predicted to include: domain names that lead to the infection and access to certain dates in order to register them in advance.
According to the insets presented in February 28, 2012 Research Report, six identifiable classes of malwares have been employing the DGAs for equivocating detection and amplifying the criminal networks. Of recent, the Company has also released an-depth coverage of the latest variant of the Zeus (Version 3) malware for providing detailed information on its usage of DGAs as another connection technique. This technique is used in instances when the primary connected is either blocked or failed (the major connection technique being peer-to-peer).
However, as referred by the Vice President of research for Damballa, Gunter Ollmann, though arrival of DGAs in the field is much talked about earlier but their adaptation rate and their skill to dodge the investigation of many advanced malware analysis, signals to the professionals to raise their level of consciousness, as published in darkREADING on February 28, 2012. According to the report, it is further revealed that the security community has either insufficiently investigated the network behaviors or must have been insufficient on their analysis for DGA-capable malware.
With the outburst of Conficker, DGAs broke the headlines for the first time. The advancement of DGA practices at a considerable rate, and at present being approved in many surreptitious threats and even criminals who desperately avoid attribution.
Nevertheless, Ollmann is apprehensive that with the leakage of the Zeus source code and expansion of the investment by the criminal operators for concealing and protecting the C&C infrastructure, surplus DGA-based malware attacks are being anticipated, as reported in darkREADING on February 28, 2012.
Related article: Adopting Messaging Security Solutions
» SPAMfighter News - 03-03-2012