2012-03-01
Abstract
Damballa reports on stealth techniques used by six malware families to evade detection.
Copyright © 2012 Virus Bulletin
Network security firm Damballa has issued a report describing the advanced stealth techniques being used by six prominent malware families to evade detection. The firm studied a new Zeus variant, Bamital, BankPatch, Bonnana, Expiro.Z and Shiz, and found that all six families have been using domain generation algorithms (DGAs) to escape detection by blacklists, signature filters and static reputation systems, and to hide their command-and-control (C&C) infrastructures.
The malware contains an algorithm that uses a ‘seed’ value (such as the current date), to generate hundreds of seemingly random domain names that all attempt to resolve to an IP address. However, only very few (or even only one) will actually resolve to an IP address. The attacker will register only a few (or one) of the domains and set them up so that they resolve to the malware’s C&C infrastructure. The process repeats the next day – with the domains used for the previous day’s connections discarded, thus reducing the chances of detection and protecting the C&C system from being shut down.
DGAs (also known as domain fluxing techniques) have been around for a few years, but according to Damballa – which is now able to detect and model DGA behaviour using machine-learning technology – the techniques have become more advanced and are increasingly being used by threats to evade detection and grow sizeable malicious networks.
