Tag: system detekcji

How non-existent domain names can unveil DGA botnets

Date of publication: 01/10/2015, piotrb

dga_icon

Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like

<span class="text">pkjdgjwzcr.pl</span>

. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
Read more