RSA Admin

How to find domain generation algorithm DGA botnets

Discussion created by RSA Admin Employee on Sep 17, 2012
Latest reply on Feb 25, 2014 by NTRSPhil

I have been doing quite a bit of research in the DNS department and wanted to share some fun simple stuff.  I created a rule called "DNS Large Number of Authority Records w/o Answer" that looks like this "risk.suspicious = 'dns large number of authority records' && error = 'dns error no name with aa'."

When you take a peek at it, try to look at lower volumes of data such as 'last hour' or 'last 3 hours' since DNS usually has a ton of traffic. The reason for this is because DGA domains often only hit a few times on one domain but hit thousands in a few hours keeping their numbers relatively low. Once you do that, look at the Hostname Alias's top 5000 results and see if there is anything that pops out at you...

 

If you see something like this:

DGA.PNG

Then you found a DGA botnet.

 

There are many different types of DGA's so writing a rule to find them isn't the easiest thing.

Here are some examples:

www.xn--zalgo666463-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com

www.xn--zalgo667796-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com

www.xn--zalgo667874-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com

 

qpohozvspp

qqjzlsajis

qqnucaacew

qrpgowkzvy

qsjeqgklbe

 

qibinbef.biz

qiwou.biz

qlpgscg.net

 

And the list can go on...

 

From here, you can figure out how to write some correlation rules and other fun things.

 

Jonathan Tomek

Outcomes