0

Domain Generation Algorithms(DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers

For example, an infected computer could create thousands of domain names such as: www.(gibberish).com and would attempt to contact a portion of these with the purpose of receiving an update or commands. - Wikipedia

But my question is we need to buy and register a domain name before we want to use. Then how hacker can generate 10 Thousand of domain name ? and use them ?

Community
  • 1
Jeff
  • 1

1 Answers1

0

A security administrator would need to block all domain names that are generated by the algorithm, wether they are registered or not.

The hacker on the other hand would only register and use a single or a few domain names out of the range that get generated by the algorithm. Depending on wether or not the bot tries to connect to every domain the DGA provides, or just a random section of those generated domains (limiting the footprint of the bot and reducing the risk of getting detected), the hacker can either control either a large number or only a small percentage of the infected machines.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Domains generated typically depend on the date or a part of it, so the bot has few to try and the master can register those needed few days before, and so on... – Patrick Mevzek Oct 08 '17 at 01:04
  • So you mean, attacker register a single or few domain name from registrar and create thousands of fake domain name using DGA algorithm. and the infected machine will connect to the attacker's valid domain ? If that happens then security admin can easily detect that only a single domain replys from all of those thousand domain. Then it wouldn't be hard to catch that malicious domain. but I heard attacker use DGA algorithm for delaying detection purpose. can you explain me in details ? thanks – Jeff Oct 08 '17 at 06:02