The importance of DGAs for malware and ransomware campaigns

The vast majority of active malware and ransomware families include some sort of communication with command and control systems (C&Cs). This is necessary so malicious artifacts receive instructions that vary from which institutions to target, to encryption keys for ransomware and targets for DDoS bots.

Command and control systems are vital for the success of malicious campaigns...



Command and control systems are vital for the success of malicious campaigns and are analyzed in details by security companies that work around the clock to shut them down. This results in a "cat and mouse" game between attackers employing new features to make the take down process more complex and time consuming, and security vendors that strive to protect their customers.

Initially, command and control systems used to be hosted in IP addresses or host names hard coded into malware samples. Taking down such services is, most of the time, easy and quick, and malicious campaigns won't remain active for too long. Attackers evolved from fixed IPs and hosts to fast flux domains, lists of domain names, peer to peer communications, Tor services and finally DGA domains.

DGAs are especially designed computer algorithms that periodically generate large lists of domain names..



For example, there are ransomware families that employ a DGA that generates 1,000 new domain names every day. Samples installed on victim computers try to resolve each of the domains in the list, one at a time, until it successfully communicates with a C&C. This strategy complicates a lot the take down process because the attacker can register any of the 1,000 domains and that domain is good only for one day. Therefore, if today's domain is taken down, the attacker has another 1,000 options tomorrow.

Ransomware binaries need an encryption key known by the attacker and won't encrypt victim files if they can't communicate with a command and control system. Similarly, malware that can't reach its C&C won't relay stolen personal and financial information.

Recently, a new ransomware variant was found to include DDoS capabilities. The malicious artifact receives an encryption key as well as commands to produce DDoS attacks against other victims. This highlights the necessity of actively blocking access to domain names generated via DGAs, as well as to command and control URLs.

Malware Patrol tracks a large number of malware and ransomware families that employ DGAs. We provide threat data feeds and block lists, helping organizations protect their employees, customers and assets from infections and data exfiltration.


Andre Correa - Malware Patrol Co-founder
Information Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices.
He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.

Back to top