Malware authors are developing increasingly sophisticated and robust solutions to evade detection of Command and Control (C&C) servers, which are used for managing large sets of infected hosts on the Internet. In recent years, malware authors have began utilizing algorithms that generate pseudo-random sets of C&C domains based on a specific time-dependent seed value. Specifically, the C&C servers generate a large set of unpredictable pseudo-random domains. Then, the C&C servers register one pre-selected domain that resolves via the Domain Name System (DNS) protocol to the Internet Protocol (IP) address of the C&C server. Generally, the algorithms used to generate the pseudo-random domains are called Domain Generation Algorithms (DGAs) and the generated domains are called Algorithm-Generated Domains (AGDs). The process of creating sets of new domains is repeated periodically, which means a new set of AGDs is generated often and the domains utilized for command and control are moved regularly.
DGAs were originally designed to provide a secure fallback (e.g. non-primary) communication mechanism for when the primary communication mechanisms between an infected host and C&C servers fail. However, an increasing number of malware families have started using DGAs as a primary mechanism for locating C&C servers. Use of a DGA subverts DNS blacklisting approaches because AGDs used for C&C servers are used for only a short period of time; typically, right after being created. If a particular AGD is blacklisted, the C&C server simply uses a new domain.
While the large lists of AGDs for a number of different types of malware can be predicted beforehand, doing so requires reverse engineering of the malware, which is a difficult and time consuming task. Further, some DGA designs have begun employing late-arriving random seed value, which are based on information retrieved from benign services on the Internet; thus delaying a defender's ability to generate and blacklist the AGDs up front. All these features and characteristics make DGAs a substantial threat.
As is evident, there is a demand for new approaches for detecting DGAs in an efficient and effective manner.