- Home
- Techniques
- Mobile
- Domain Generation Algorithms
Domain Generation Algorithms
Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.[1]
DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.
Procedure Examples
Name | Description |
---|---|
Mandrake | |
Rotexy |
Rotexy procedurally generates subdomains for command and control communication.[1] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[3] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
References
- T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.