Part II: Solving the Malware Domain Generation Algorithm Problem

While attending the Palo Alto Ignite Conference in Las Vegas, I had the opportunity to attend what was one of the best technical, most NON-marchitecture sessions available – ‘DNS Junk Domains: It’s whats for Dinner’- by Dr Paul Vixie.  Dr. Vixie is literally one of the Programmers who wrote the original BIND; and next to Cricket Liu, probably one of the smartest guys in the world when it comes to Global Internet DNS,  Dr. Vixie’s insight on solving the Domain Generation Algorithm problem was fascinating. I’ll share what I learned.

The cost of domains to criminals is low, low, low – and inconsequential. When criminals do buy domains, its often with stolen credit card data; and the victim will appear on the public whois record. The value of stolen credit card data is rests in the fraudsters ability to cause a small amount of damage to the victim over long periods of time; hence purchasing small handfuls of  TLDs ( Top Level Domains) again and again,  at low costs, often times without the victim noticing.

The main problem with domain generation is that it takes 30 seconds to make a new TLD. Not enough time for anyone to spot badness, or for it to be on a list before it can be used as part of a campaign. When implementing targeted attacks, Spammers and Attackers using malware will host short, hard and fast campaigns. Or, for longer more shot-gun style campaigns, (Locky), they will use  DGA to make new TLDs quickly, making it hard for Real Time Black Hole lists (RBLS) like Spamhaus to keep their database current.

Dr Vixie’s solution is simplistic:  Temporarily defer the resolution of ALL ‘newly observed’ TLDs in your DNS.

Newly Observed does not mean ‘newly listed’ and never used, but rather it means that a domain is new because a TLD is seen in DNS actively being used for the first time.  This solution assumes you currently have to automation in place to get  information from an RBL into your DNS, ( otherwise you’d just be delaying the inevitable ). Deferring the resolution of ALL ‘newly observed’ TLDs in DNS gives the RBLs time to discover and add all of the new badness that occurs.

Chances are your org does not depend on being able to resolve newly listed TLD the moment they are available on the internet, unless you work for GoDaddy.


I’ll continue to blog on the subject of DNS, DGAs and how to solve!

Thank you for reading!