Malware is any software used to disrupt computer operations, gather sensitive information, or gain access to private assets residing in computer systems. This can lead to the malware creator or other unauthorized parties gaining access to the computer system and private information stored on the computer system being compromised. Malware includes computer viruses, worms, trojan horses, spyware, adware, key loggers, and other malicious programs. These programs can appear in the form of computerized code, scripts, and other software.
Certain forms of malware, for example, collections of malicious software agents (referred to as robots) which collectively form a “botnet”, are remotely controlled by the malware originator through various means (e.g., Internet Relay Chat or IRC) from a command and control (C&C) server. Each robot (or bot) runs autonomously and automatically on infected endpoint clients, and propagates malicious content to other endpoint clients, all while being maintained under the malware originator control by communicating with the C&C server. Software, such as, for example, anti-virus, anti-spyware, anti-malware and firewalls, are depended upon by computer users for protecting against malware and other malicious attacks. These types of protective software also help to identify malware attacks and take protective actions in response to identification of a malware attack, and can employ tools to identify the C&C server to prevent endpoint clients from accessing domain names linked with the C&C server to interrupt the malware originator control and prevent the spread of malware infection. However, many malware originators have begun exploiting dynamic domain name generation methods in order to make it more difficult for protective software to identify C&C servers. Domain generation algorithm (DGA) enabled malware, for example, utilize algorithms which periodically generate a large number of domain names which are used as rendezvous points with the C&C server of the malware. In operation, the infected machines (i.e., bots) and the current C&C server execute the same portions of date/time dependent malware code to maintain connectivity between the dynamically changing C&C server and the infected machines. The domain names are pseudo-randomly generated using the date and/or time (e.g., UNIX date and/or time) on an infected machine (e.g., compromised endpoint) as input. For example, a DGA enabled malware may be configured to generate a first set of domain names on Jan. 1, 2015, and a different set of domain names on Feb. 1, 2015. By periodically changing the rendezvous points, and the C&C server itself, the C&C server can avoid identification, and the infected machines (i.e., bots) can continue to receive commands from the dynamically changing C&C server.