Domain Flux
Domain Flux is a technology used by botnet operators to hide the location of their command & control servers. The advantage over Fast Flux is that the domain to which the infected computers connect is constantly changed. This makes it almost impossible to find the command & control server (short: C&C) without deciphering the domain generation algorithm.
Domain generation algorithm
The so-called domain generation algorithm (DGA for short) is part of the malware used to generate domain names. If the bot generates a domain , the botnet operator has to register the domain, via which the infected computer can then connect to the command & control server (C&C). To make it more difficult to guess a domain, a random component such as the Twitter API, which the Sinowal / Torpig botnet uses, can be used. By changing the domain every day, it is very difficult to find the C&C of the botnet.
Example DGA
<script type="text/javascript">
var suffix = new Array("anj", "ebf", "arm", "pra", "aym", "unj", "ulj", "uag", "esp", "kot", "onv", "edc");
var t;
function generate_daily_domain()
{
t = new Date();
p = 8;
return generate_domain(t, p);
}
function scramble_date(t, p)
{
return (((t.getMonth() ^ t.getDay()) + t.getDay()) * p) + t.getDay() + t.getYear();
}
function generate_domain(t, p)
{
var year = t.getYear();
if (year < 2007) {
year = 2007;
}
var s = scramble_date(t, p);
var c1 = (((t.getYear() >> 2) & 0x3fc0) + s) % 25 + 'a';
var c2 = (t.getMonth() + s) % 10 + 'a';
var c3 = ((t.getYear() & 0xff) + s) % 25 + 'a';
if (t.getDay() * 2 < '0' || t.getDay() * 2 > '9') {
var c4 = (t.day * 2) % 25 + 'a';
} else {
var c4 = t.getDay() % 10 + '1';
}
return c1 + 'h' + c2 + c3 + 'x' + c4 + suffix[t.getMonth() - 1];
}
document.write(generate_daily_domain());
</script>
A domain name is generated on the current date and a seed (in the form of the number p = 8). A number of TLDs such as .com, .org, .net and the like are appended to this generated domain name and then an attempt is made to determine whether it can be reached. The domain generated daily is the second layer that the bot uses to contact a domain. First of all, a weekly domain is generated which does not change for the whole week. Only when this is no longer accessible does the bot generate a daily domain; if this fails, there is a fallback to hard-coded domains.
Domain registration process
When registering a domain, the bot generates it and the operator registers the domain via which the infected computers then connect to the C&C. In order to know the current domain that the bot is generating, the operator uses a program that uses the same DGA as his malware.
Domain wildcard
Domain wildcarding abuses native DNS functionality to generalize a higher-ranking domain so that all FQDNs point to the same IP. For example, * .Domain.com could include both mypc.atl.Domain.com and myserver.Domain.com. This method is mostly associated with botnets that spread spam and phishing content - whereby the arbitrary-looking proxy information is used by the botnet operator to clearly identify a victim, to trace the course of success through various delivery methods and to assign anti-spam technologies bypass.
Most of these automatically generated phishing URLs (which use the wildcard domains for name resolution) can be blocked with a filter rule that limits the length of a host name in a URL to a maximum of four or five levels. Then a URL named "www.MyDomain.co.za" would be fine, while a URL named "www.Domain.co.uk.b906758.index.MyBank.cc" would be blocked automatically.
The changing command & control center
Some botnets are able to relocate their control center. For this purpose, the control center of the botnet contains a database with all registered domains and data that can be used to move the command & control server. The constant changing of the control center makes it difficult to track down and protects it from being discovered by anti-virus companies and authorities.
Domain flux botnets
- Srizbi : Cbeplay, Exchanger
- Sinowal: Torpig, Anserin
- Conficker : DownUp, DownAndUp, DownAdUp, Kido
- Kraken: Mailbot.f