A DGA is an algorithm able to generate a FQDN for allowing communication between a virus or malware and its command and control master.
It’s main objective is not to predefine a FQDN that will be used by the malware and incorporated in its code as a standard variable, but instead to generate specific software able to create the FQDN when required. Once the hacker wishes to activate all the instances of its malware to spread, he registers the domain at the TLD level and points the FQDN to a command and control server resource that will be able to push specific instructions or payload for the malware to change its state and activate itself. TXT specific records can also be used to specify directly the command or action to perform.
For a DGA to be functional, idempotence on domain generation is required. Both malware instances spread on various devices and the hacker-controlled software should be able to run the algorithm and produce the same values at a given time. A basic implementation uses 3 specific parts:
- A seed: shared between all implementations of the algorithm and increasing the entropy of the generated FQDN
- A time-based data generator: producing a specific set of data at a given time
- A list of TLD to concatenate the generated domain
The algorithm mixes the seed and the data generated at run time, produces through specific code an acceptable string and concatenates it to a chosen TLD.
There is no limit to DGA algorithms and the way they are implemented in the malware. Some are simple and easy to reverse engineer, others are very complex, run in virtual machines and use complex seed and data generation. Rather than using the date as the time-based seed, some use data from trendy topics on Twitter or Reddit, newspaper headlines or any other external source. This allows the malware to avoid easy detection by sandbox systems, sometimes combined with a generation of known malware domains to check whether they are in such sandbox.
Some DGAs can be bizarre (eg gegjiimqmlgtdmk.tf or jxbdxeyxttdmcjagi.me), and some more complex to detect (e.g. huoseavas.name or agtisaib.info). DGAs may already be blocked by your DNS filtering system, but not yet for others.