Researchers at Akamai have unearthed a concerning shift in the behavior of dynamically seeded Domain Generation Algorithm (DGA) families within Domain Name System (DNS) traffic data. This discovery reveals how malicious actors are adapting their tactics to prolong the life of their command-and-control (C2) communication channels, safeguarding their botnets.
From a technical standpoint, DGAs come in two main types: dynamically seeded (dynamic DGAs) and statically seeded (static DGAs). Dynamic DGAs rely on time-dependent seeds, often based on the current date, allowing domain prediction if the algorithm is reverse engineered. Static DGAs use unchanging seeds to generate consistent domain sequences.
Malware relies on DGAs to communicate with central servers, and DGAs generate numerous semi-random domain names. Infected devices try to connect to these domains, with just one successful connection enabling contact with the C2 server. This poses a substantial challenge for cybersecurity experts, given that these domains constantly change.
Before DGAs, malware authors hardcoded domains into their code, making it easy to block when reverse engineered. DGAs, starting with the Kraken family in 2008 and popularized by Conficker, changed the game, generating many daily domains and overwhelming security teams.
Read more on Conficker history: Conficker, AndroRAT Continue Malware Reigns of Terror
Akamai’s new research zoomed in on dynamic DGAs, focusing on the Pushdo and Necurs families, both using date-based seeds for domain prediction. However, the study uncovered unexpected behavior.
For Pushdo, researchers anticipated queried domains within a 24-hour window of their expected date. Instead, they found unique domain names spanning from -50 to +50 days from the expected date, suggesting malicious actors intentionally shifted the seed to confuse security researchers.
Similarly, the Necurs family exhibited behavior outside expectations. Researchers expected domains within -7 to +7 days from the expected date but discovered a smaller spike around +12 days, indicating malicious actors intentionally lagged domain names by seven days to evade detection.
“Our analysis suggests this is being done as an attempt to avoid DGA detection systems and complicate the work of security research teams,” reads the analysis published by Akamai researchers Connor Faulkner and Stijn Tilborghs on Wednesday.
“While malicious actors continue to search for ways to protect their botnets and extend the lifespan of their C2 communication channels, it is the job of security researchers to counter these measures and better identify what is real versus what is expected.”