The vast majority of active malware and ransomware families include some sort of communication with command and control servers (C&Cs). This connection allows them to receive instructions, such as which institutions to target, the encryption keys for ransomware, and targets for DDoS bots, as well as to exfiltrate stolen data.
Command and control systems are vital for the success of malicious campaigns and are analyzed in detail by security companies that work around the clock to shut them down. This results in a “cat and mouse” game between attackers employing new features to make the take-down process more complex and time-consuming, and security vendors striving to protect their customers. Historically, C&Cs were hosted at IP addresses or hostnames hard-coded into malware samples. Disabling such services was often easy and quick, and as such, these kinds of malicious campaigns did not remain active for too long.
Attackers evolved to more complex methods: fast-flux domains, lists of domain names, peer to peer communications, Tor services, and domains generated via algorithms (DGAs). Ransomware binaries, for example, need an encryption key known by the attacker and will not encrypt victims’ files if they cannot communicate with a command and control system. Similarly, malware that isn’t able to reach its C&C server will not relay stolen personal and financial information. Some ransomware families employ DGAs that generate hundreds or thousands of new domain names every day. Samples installed on victims’ computers try to resolve each of the domains, one at a time, until it is successful. This strategy complicates the take-down process because the attacker can register any of the hundreds or thousands of domains and that domain will be used by the malware sample only for one day. The next day, a new list is generated. Therefore, if today’s domain is taken down, the attacker has another chance tomorrow.
DGAs are simple algorithms usually based on the current time and a random set of characters called a ‘seed’. These two pieces of information are inputted into the algorithm and a list of domains is generated. The length of the domain names as well as their TLDs vary greatly from family to family. Distinct campaigns distributing the same malware family can use different seeds yielding new lists of domains. This highlights the necessity of actively blocking access to domain names generated via DGAs, as well as to command and control URLs.
Malware Patrol tracks a large number of malware and ransomware families that employ DGAs, including their multiple seeds. We provide threat data feeds and block lists, helping organizations protect their employees, customers, and assets from infections, data exfiltration, and extortion.
Andre Correa
CEO/Founder, Malware Patrol
Information Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded Malware Patrol in 2005 as a non-profit that collected data and provided the infrastructure for accessing the resulting blocklists. Since then, the company has developed a wide range of commercial threat intelligence offerings and helps enterprises around the world to protect themselves from cyber threats.