Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Seculert says that Domain Generation Algorithms Developing like Malware

According to security firm Seculert, Domain generation algorithms (DGA) are developing very much like malware and have been described as a desired means for the botmaster to maintain the functionality of malware to detect technologies and to aggravate security researchers.

In June 2014, researchers of Seculert spotted the latest development in DGA and detectable recently described a variation of the Matsnu botnet whose DGA extracts nouns and verbs from an integrated list of more than 1,300 words to create domains containing phrases of 24-characters. Unlike other DGAs which generate rubbish domain names which are easily detectable by security software, Matsnu botnet makes use of a noun-verb-noun-verb arrangement to overcome machine-learning phonetic algorithms which are trained to look for domain names without any meaning.

Threatpost.com published news on 18th November, 2014, quoting an explanation by Aviv Raff, Co-Founder and Chief Technology Officer of Seculert as saying "Prevention and detection mechanisms could somehow detect such domains, but authors of some malware became aware of this and hence avoid such detection mechanism."

DGA is configurable and allows cybercriminals to decide on the quantity of domains to be generated each day and they can also specify the number of days until domain names which are previously generated can be reused. Seculert said that Trojan (referring to Matsnu) also comes with a list of 10 domain names which are hardcoded.

Matsnu is believed to spread mainly by spam email messages (in German) related to online shopping sites.

Matsnu uses HTTP requests to communicate with its C&C server whenever it infects a device. There are commands to get a status report, collect information about the system (username, version of Windows, computer name, GPU, CPU, language, virtual machines, drives and installed security solutions) and to collect a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform many actions, including removing itself, updating predefined list of C&C domains, waiting for new commands, upgrading itself and downloading and executing files. This variant has two new commands which allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Seculert observed that communications between the infected host and the C&C is complicated and downloaded data in compressed and encrypted.

ยป SPAMfighter News - 11/29/2014

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page