Seculert says that Domain Generation Algorithms Developing like Malware

According to security firm Seculert, Domain generation algorithms (DGA) are developing very much like malware and have been described as a desired means for the botmaster to maintain the functionality of malware to detect technologies and to aggravate security researchers.

In June 2014, researchers of Seculert spotted the latest development in DGA and detectable recently described a variation of the Matsnu botnet whose DGA extracts nouns and verbs from an integrated list of more than 1,300 words to create domains containing phrases of 24-characters. Unlike other DGAs which generate rubbish domain names which are easily detectable by security software, Matsnu botnet makes use of a noun-verb-noun-verb arrangement to overcome machine-learning phonetic algorithms which are trained to look for domain names without any meaning.

Threatpost.com published news on 18th November, 2014, quoting an explanation by Aviv Raff, Co-Founder and Chief Technology Officer of Seculert as saying "Prevention and detection mechanisms could somehow detect such domains, but authors of some malware became aware of this and hence avoid such detection mechanism."

DGA is configurable and allows cybercriminals to decide on the quantity of domains to be generated each day and they can also specify the number of days until domain names which are previously generated can be reused. Seculert said that Trojan (referring to Matsnu) also comes with a list of 10 domain names which are hardcoded.

Matsnu is believed to spread mainly by spam email messages (in German) related to online shopping sites.

Matsnu uses HTTP requests to communicate with its C&C server whenever it infects a device. There are commands to get a status report, collect information about the system (username, version of Windows, computer name, GPU, CPU, language, virtual machines, drives and installed security solutions) and to collect a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform many actions, including removing itself, updating predefined list of C&C domains, waiting for new commands, upgrading itself and downloading and executing files. This variant has two new commands which allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Seculert observed that communications between the infected host and the C&C is complicated and downloaded data in compressed and encrypted.

» SPAMfighter News - 11/29/2014