The vast majority of active malware and ransomware families include some sort of communication with command and control systems (C&Cs). This connection allows them to receive instructions, such as which institutions to target, the encryption keys for ransomware, and targets for DDoS bots, as well as to exfiltrate stolen data.

Command and control systems are vital for the success of malicious campaigns and are analyzed in detail by security companies that work around the clock to shut them down. This results in a “cat and mouse” game between attackers employing new features to make the take-down process more complex and time-consuming, and security vendors striving to protect their customers. Historically, C&C systems were hosted at IP addresses or hostnames hard-coded into malware samples. Disabling such services was often easy and quick, and as such, these kinds of malicious campaigns didn’t remain active for too long.

Attackers evolved to more complex methods: fast-flux domains, lists of domain names, peer to peer communications, Tor services, and domains generated via algorithms (DGAs). Ransomware binaries, for example, need an encryption key known by the attacker and won’t encrypt victims’ files if they can’t communicate with a command and control system. Similarly, malware that can’t reach its C&C won’t relay stolen personal and financial information. Some ransomware families employ DGAs that generate hundreds or thousands of new domain names every day. Samples installed on victims’ computers try to resolve each of the domains, one at a time until it successfully communicates with a C&C. This strategy complicates the take-down process because the attacker can register any of the hundreds or thousands of domains and that domain will be used by the malware sample only for one day. The next day, a new list is generated. Therefore, if today’s domain is taken down, the attacker has another chance tomorrow.

DGAs are simple algorithms usually based on the current time and a random set of characters called a ‘seed’. These two pieces of information are inputted into the algorithm and a list of domains is generated. The length of the domain names as well as their TLDs vary greatly from family to family. Distinct campaigns distributing the same malware family can use different seeds yielding new lists of domains.

Recently, a new ransomware variant was found to include DDoS capabilities for double extortion purposes. The malicious artifact receives an encryption key as well as commands to produce DDoS attacks.

This highlights the necessity of actively blocking access to domain names generated via DGAs, as well as to command and control URLs.

Malware Patrol tracks a large number of malware and ransomware families that employ DGAs and their multiple seeds. We provide threat data feeds and block lists, helping organizations protect their employees, customers, and assets from infections, data exfiltration, and extortion.

Andre Correa

Co-Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.