Article

A comprehensive measurement study of domain generating malware

Authors:

Daniel Plohmann,

Johannes Bader,

Elmar Gerhards-PadillaAuthors Info & Claims

SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

Pages 263 - 278

Published: 10 August 2016 Publication History

Abstract

Recent years have seen extensive adoption of domain generation algorithms (DGA) by modern botnets. The main goal is to generate a large number of domain names and then use a small subset for actual C&C communication. This makes DGAs very compelling for botmasters to harden the infrastructure of their botnets and make it resilient to blacklisting and attacks such as takedown efforts. While early DGAs were used as a backup communication mechanism, several new botnets use them as their primary communication method, making it extremely important to study DGAs in detail.

In this paper, we perform a comprehensive measurement study of the DGA landscape by analyzing 43 DGA-based malware families and variants. We also present a taxonomy for DGAs and use it to characterize and compare the properties of the studied families. By reimplementing the algorithms, we pre-compute all possible domains they generate, covering the majority of known and active DGAs. Then, we study the registration status of over 18 million DGA domains and show that corresponding malware families and related campaigns can be reliably identified by pre-computing future DGA domains. We also give insights into botmasters' strategies regarding domain registration and identify several pitfalls in previous takedown efforts of DGA-based botnets. We will share the dataset for future research and will also provide a web service to check domains for potential DGA identity.

References

[1]

W32/sality.m, February 2006. Malware description by McAfee: http://www.mcafee.com/threatintelligence/malware/default.aspx?id=138354.

[2]

Conficker Working Group: Lessons Learned. Tech. rep., The Rendon Group, http://www.confickerworkinggroup.org, January 2011.

[3]

Ransom Cryptolocker. Tech. rep., McAfee Labs Threat Advisory, November 2014.

[4]

Tracking Rovnix, 2014. Blog post: http://labs.bitdefender.com/2014/11/tracking-rovnix-2/.

[5]

Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers. Tech. rep., Blueliv, 2015.

[6]

Pushdo It To Me One More Time. Tech. rep., Fidelis Cybersecurity, April 2015.

[7]

Tempedreve - Botnet overview and malware analysis. Tech. rep., Anubisnetworks, 2015.

[8]

The Domain Name Industry Brief - Volume 12, Issue 3. Tech. rep., Verisign, 2015.

[9]

TLD DNSSEC Report, 2015. Statistics page published by ICANN: http://stats.research.icann.org/dns/tld_report/.

[10]

ALEXA. Top sites on the Web, 2015. Website: http://www.alexa.com/topsites.

[11]

ANDRIESSE, D., ROSSOW, C., STONE-GROSS, B., PLOHMANN, D., AND BOS, H. Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus. In Proceedings of the 8th International Conference on Malicious and Unwanted Software (MALWARE) (2013).

[12]

ANTONAKAKIS, M., PERDISCI, R., DAGON, D., LEE, W., AND FEAMSTER, N. Building a Dynamic Reputation System for DNS. In Proceedings of the 19th USENIX Conference on Security (Berkeley, CA, USA, 2010), USENIX Security'10, USENIX Association.

[13]

ANTONAKAKIS, M., PERDISCI, R., NADJI, Y., VASILOGLOU, N., ABU-NIMEH, S., LEE, W., AND DAGON, D. From Throwaway Traffic to Bots: Detecting the Rise of DGA-based Malware. In Proceedings of the 21st USENIX Conference on Security Symposium (2012).

[14]

BADER, J. Domain Generation Algorithm analyses, 2015. Blog posts on various DGAs: http://www.johannesbader.ch/tag/dga/.

[15]

BARABOSCH, T. Behavior-Driven Development in Malware Analysis: Can it Improve the Malware Analysis Process?, 2015. Presentation: https://itsec.cs.uni-bonn.de/spring2015/downloads/barabosch.pdf.

[16]

BARABOSCH, T., WICHMANN, A., LEDER, F., AND GERHARDS-PADILLA, E. Automatic Extraction of Domain Name Generation Algorithms from Current Malware. In Proceedings of the NATO Symposium IST-111 on Information Assurance and Cyber Defence (2012).

[17]

BAUMGARTNER, K., AND RAIU, C. Sinkholing Volatile Cedar DGA Infrastructure, 2015. Blog post: https://securelist.com/blog/research/69421/sinkholing-volatile-cedar-dga-infrastructure/.

[18]

BILGE, L., SEN, S., BALZAROTTI, D., KIRDA, E., AND KRUEGEL, C. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains. ACM Trans. Inf. Syst. Secur. 16, 4 (Apr. 2014).

[19]

DOMAINTOOLS. Company Profile, 2015. Website: https://www.domaintools.com/company/.

[20]

FALLIERE, N. W32.Virut: Using Cryptography to Prevent Domain Hijacking, 2011. Blog post: http://www.symantec.com/connect/blogs/w32virut-using-cryptography-prevent-domain-hijacking.

[21]

GASTESI, M., AND GEGENY, J. Citadel Updates: Anti-VM and Encryption change, June 2012. Blog post for S21sec: http://securityblog.s21sec.com/2012/06/citadel-updates-anti-vm-and-encryption.html.

[22]

GEFFNER, J. End-To-End Analysis of a Domain Generating Algorithm Malware Family. In Proceedings of the 2013 Blackhat Conference (2013).

[23]

HOLZ, T., GORECKI, C., RIECK, K., AND FREILING, F. Measuring and Detecting Fast-Flux Service Networks. In Proceedings of the 15th Annual Network & Distributed System Security Conference (NDSS) (2008).

[24]

KESSEM, L. Shifu: 'Masterful' New Banking Trojan Is Attacking 14 Japanese Banks, 2015. Blog post: https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/.

[25]

LEDER, F., AND WERNER, T. Know Your Enemy: Containing Conficker, To Tame a Malware. Tech. rep., The Honeynet Project, http://honeynet.org, 2009.

[26]

LEUNG, K., LIU, Y., AND KIERNAN, S. W32.Downadup.E Technical Details. Tech. rep., Symantec, 2009.

[27]

LIPOVSKY, R. Hesperbot - A new, Advanced Banking Trojan in the Wild. Tech. rep., ESET, 2013.

[28]

MA, J., SAUL, L. K., SAVAGE, S., AND VOELKER, G. M. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (New York, NY, USA, 2009), KDD '09, ACM, pp. 1245-1254.

[29]

MALWARE PROTECTION CENTER. MSRT April 2014 on Ramdo, 2014. Malware description by Microsoft: http://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx.

[30]

MALWARE PROTECTION CENTER. Trojan:Win32/Emotet.C, 2014. Malware description by Microsoft: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Emotet.C.

[31]

MARSAGLIA, G. Xorshift RNGs. Journal of Statistical Software 8, 1 (2003).

[32]

MATROSOV, A. What do Win32/Redyms and TDL4 have in common, 2013. Blog post: http://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/.

[33]

MATSUMOTO, M., AND NISHIMURA, T. Mersenne Twister: A 623-dimensionally Equidistributed Uniform Pseudo-random Number Generator. ACM Trans. Model. Comput. Simul. 8, 1 (Jan. 1998).

[34]

MOWBRAY, M., AND HAGEN, J. Finding Domain-Generation Algorithms by Looking at Length Distribution. In Proceedings of the 25th IEEE International Symposium on Software Reliability Engineering Workshops, ISSRE Workshops, Naples, Italy (2014).

[35]

NADJI, Y., ANTONAKAKIS, M., PERDISCI, R., DAGON, D., AND LEE, W. Beheading Hydras: Performing Effective Botnet Takedowns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2013), CCS '13, ACM.

[36]

PARK, S. K., AND MILLER, K. W. Random Number Generators: Good Ones Are Hard to Find. Commun. ACM 31, 10 (Oct. 1988).

[37]

PIOTR KRYSIUK, V. T. Trojan.Bamital. Tech. rep., Symantec, 2013.

[38]

PLOHMANN, D. DGArchive. Fraunhofer FKIE: https://dgarchive.caad.fkie.fraunhofer.de.

[39]

PRESS, W. H., TEUKOLSKY, S. A., VETTERLING, W. T., AND FLANNERY, B. P. Numerical Recipes 3rd Edition: The Art of Scientific Computing, 3 ed. Cambridge University Press, New York, NY, USA, 2007.

[40]

ROSSOW, C., ANDRIESSE, D., WERNER, T., STONE-GROSS, B., PLOHMANN, D., DIETRICH, C. J., AND BOS, H. SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P) (San Francisco, CA, May 2013).

[41]

ROYAL, P. On the Kraken and Bobax Botnets. Tech. rep., Damballa, April 2008.

[42]

SANDEE, M. GameOver ZeuS - Backgrounds on the Badguys and the Backends. Tech. rep., Fox IT, 2013.

[43]

SCHIAVONI, S., MAGGI, F., CAVALLARO, L., AND ZANERO, S. Phoenix: DGA-Based Botnet Tracking and Intelligence. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2014), vol. 8550 of Lecture Notes in Computer Science.

[44]

SCHWARZ, D. Bedep's DGA: Trading Foreign Exchange for Malware Domains, 2015. Blog post: https://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/.

[45]

SECURITY RESPONSE. Butterfly: Corporate spies out for financial gain. Tech. rep., Symantec, July 2015.

[46]

SECURITY RESPONSE. W32. Ramnit Analysis. Tech. rep., Symantec, February 2015.

[47]

SEGURA, J. Elusive HanJuan EK Drops New Tinba Version, 2015. Blog post: https://blog.malwarebytes.org/intelligence/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/.

[48]

SINEGUBKO, D. Runforestrun and Pseudo Random Domains, June 2012. Blog post for Unmask Parasites: http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/.

[49]

SKURATOVICH, S. Matsnu. Tech. rep., Check Point Software technologies Ltd., May 2015.

[50]

STONE-GROSS, B., COVA, M., CAVALLARO, L., GILBERT, B., SZYDLOWSKI, M., KEMMERER, R., KRUEGEL, C., AND VIGNA, G. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (2009).

[51]

VISSERS, T., JOOSEN, W., AND NIKIFORAKIS, N. Parking Sensors: Analyzing and Detecting Parked Domains. In Proceedings of the 2015 Network and Distributed System Security (NDSS) Symposium (2015).

[52]

WOLF, J. Technical details of Srizbi's domain generation algorithm, November 2008. Blog post for Fire-Eye: https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html.

[53]

XU, W., SANDERS, K., AND ZHANG, Y. We Know It Before You Do: Predicting Malicious Domains. In Proceedings of the 24th Virus Bulletin Conference (VB2014) (2014).

[54]

YADAV, S., REDDY, A. K. K., REDDY, A. N., AND RANJAN, S. Detecting Algorithmically Generated Malicious Domain Names. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (2010), IMC '10.

Cited By

Shashwat KHahn FMillar SOu XPintor MChen XJagielski M(2024)Using LLM Embeddings with Similarity Search for Botnet TLS Certificate DetectionProceedings of the 2024 Workshop on Artificial Intelligence and Security10.1145/3689932.3694766(173-183)Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1145/3689932.3694766
Cebere BFlueren JSebastián SPlohmann DRossow C(2024)Down to earth! Guidelines for DGA-based Malware DetectionProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678913(147-165)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678913
Duc MLuan NTai NHieu NMinh NHieu PHai VThanh N(2024)On the Impact of Heterogeneity on Federated Learning at the Edge with DGA Malware DetectionProceedings of the Asian Internet Engineering Conference 202410.1145/3674213.3674215(10-17)Online publication date: 9-Aug-2024
https://dl.acm.org/doi/10.1145/3674213.3674215
Show More Cited By

A comprehensive measurement study of domain generating malware
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Measurement and Analysis of Autonomous Spreading Malware in a University Environment
DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Autonomous spreading malware in the form of bots or worms is a constant threat in today's Internet. In the form of botnets , networks of compromised machines that can be remotely controlled by an attacker, malware can cause lots of harm. In this paper,...
A comprehensive survey on deep learning based malware detection techniques
Abstract
Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical ...
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

August 2016

1240 pages

ISBN:9781931971324

Editors:
Thorsten Holz
Ruhr-Universtät Bochum
,
Stefan Savage
University of California, San Diego

Sponsors

Google Inc.
NSF
Microsoft: Microsoft
Facebook: Facebook
CISCO

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2016

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shashwat KHahn FMillar SOu XPintor MChen XJagielski M(2024)Using LLM Embeddings with Similarity Search for Botnet TLS Certificate DetectionProceedings of the 2024 Workshop on Artificial Intelligence and Security10.1145/3689932.3694766(173-183)Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1145/3689932.3694766
Cebere BFlueren JSebastián SPlohmann DRossow C(2024)Down to earth! Guidelines for DGA-based Malware DetectionProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678913(147-165)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678913
Duc MLuan NTai NHieu NMinh NHieu PHai VThanh N(2024)On the Impact of Heterogeneity on Federated Learning at the Edge with DGA Malware DetectionProceedings of the Asian Internet Engineering Conference 202410.1145/3674213.3674215(10-17)Online publication date: 9-Aug-2024
https://dl.acm.org/doi/10.1145/3674213.3674215
Nitz LMandal A(2023)DGA Detection Using Similarity-Preserving Bloom EncodingsProceedings of the 2023 European Interdisciplinary Cybersecurity Conference10.1145/3590777.3590795(116-120)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3590777.3590795
Rice TKim DYang MShen CChang K(2023)Developing a GUI Application: GPU-Accelerated Malicious Domain DetectionProceedings of the 2023 ACM Southeast Conference10.1145/3564746.3587105(167-171)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3564746.3587105
Drichel AHolmes Bvon Brandt JMeyer UChen LMitchell CGiannetsos TSgandurra D(2021)The More, the BetterProceedings of the 3rd Workshop on Cyber-Security Arms Race10.1145/3474374.3486915(1-12)Online publication date: 19-Nov-2021
https://dl.acm.org/doi/10.1145/3474374.3486915
Taniguchi TGriffioen HDoerr CCao JHo Au MLin ZYung M(2021)Analysis and Takeover of the Bitcoin-Coordinated Pony MalwareProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3437520(916-930)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3437520
Zhao DLi HSun XTang Y(2021)DOLPHIN: Phonics based Detection of DGA Domain Names2021 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM46510.2021.9685325(01-06)Online publication date: 7-Dec-2021
https://dl.acm.org/doi/10.1109/GLOBECOM46510.2021.9685325
Wang ZGuo Y(2021)Neural networks based domain name generationJournal of Information Security and Applications10.1016/j.jisa.2021.10294861:COnline publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.102948
Kostopoulos NKalogeras DMaglaris V(2020)Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS ServersProceedings of the 2020 Applied Networking Research Workshop10.1145/3404868.3406665(1-8)Online publication date: 27-Jul-2020
https://dl.acm.org/doi/10.1145/3404868.3406665
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents