Difference between revisions of "DGAs and cyber-criminals: a case study"
m (Text replacement - " damballa.com" to "") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 5: | Line 5: | ||
|CCProtocol=P2P, | |CCProtocol=P2P, | ||
|Editor=Damballa | |Editor=Damballa | ||
|Link=http://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf | |Link=http://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf (pdf) | ||
|Author=Manos Antonakakis, Jeremy Demar, Christopher Elisan, John Jerrim | |Author=Manos Antonakakis, Jeremy Demar, Christopher Elisan, John Jerrim | ||
|Abstract=In recent years, Domain Generation Algorithms (DGAs) have evolved from a proof-of-concept technique, capable of bypassing legacy static reputation systems (e.g. Domain Blacklists), into full-featured stealth modules embedded within an increasing number of advanced and evasive commercial crimeware toolkits today. DGAs are also referred to as a form of “domain fluxing.” | |Abstract=In recent years, Domain Generation Algorithms (DGAs) have evolved from a proof-of-concept technique, capable of bypassing legacy static reputation systems (e.g. Domain Blacklists), into full-featured stealth modules embedded within an increasing number of advanced and evasive commercial crimeware toolkits today. DGAs are also referred to as a form of “domain fluxing.” | ||
This case study details how Damballa Labs uncovered criminal DGA activity long before the malware using the DGA technique was ever identified by the security community. This discovery was accomplished using patent-pending machine learning technology and years of passive DNS data collection and analysis. In addition, this case study describes how Damballa Labs, starting only with the identified DGA behavior, tied the DGA behavior to the criminal command-and-control (C&C) infrastructure and then to the malware, infection vectors and campaigns. The identified malware is a ZeuS version 3 variant that uses peer-to-peer as its primary C&C channel and only resorts to the DGAgenerated domains if it fails | This case study details how Damballa Labs uncovered criminal DGA activity long before the malware using the DGA technique was ever identified by the security community. This discovery was accomplished using patent-pending machine learning technology and years of passive DNS data collection and analysis. In addition, this case study describes how Damballa Labs, starting only with the identified DGA behavior, tied the DGA behavior to the criminal command-and-control (C&C) infrastructure and then to the malware, infection vectors and campaigns. The identified malware is a ZeuS version 3 variant that uses peer-to-peer as its primary C&C channel and only resorts to the DGAgenerated domains if it fails | ||
}} | }} | ||
Latest revision as of 22:58, 5 August 2015
(Publication) Google search: [1]
| DGAs and cyber-criminals: a case study | |
|---|---|
| |
| Botnet | ZeuS, ZeuS - P2P+DGA |
| Malware | |
| Botnet/malware group | |
| Exploit kits | Sakura, Blackhole |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | P2P |
| Date | / |
| Editor/Conference | Damballa |
| Link | http://www.damballa.com/downloads/r pubs/RN DGAs-and-Cyber-Criminals-A-Case-Study.pdf (pdf) ((pdf) Archive copy) |
| Author | Manos Antonakakis, Jeremy Demar, Christopher Elisan, John Jerrim |
| Type | |
Abstract
“ In recent years, Domain Generation Algorithms (DGAs) have evolved from a proof-of-concept technique, capable of bypassing legacy static reputation systems (e.g. Domain Blacklists), into full-featured stealth modules embedded within an increasing number of advanced and evasive commercial crimeware toolkits today. DGAs are also referred to as a form of “domain fluxing.”
This case study details how Damballa Labs uncovered criminal DGA activity long before the malware using the DGA technique was ever identified by the security community. This discovery was accomplished using patent-pending machine learning technology and years of passive DNS data collection and analysis. In addition, this case study describes how Damballa Labs, starting only with the identified DGA behavior, tied the DGA behavior to the criminal command-and-control (C&C) infrastructure and then to the malware, infection vectors and campaigns. The identified malware is a ZeuS version 3 variant that uses peer-to-peer as its primary C&C channel and only resorts to the DGAgenerated domains if it fails
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permittedBFR790,
editor = {Damballa},
author = {Manos Antonakakis, Jeremy Demar, Christopher Elisan, John Jerrim},
title = {DGAs and cyber-criminals: a case study},
date = {01},
month = May,
year = {},
howpublished = {\url{http://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf (pdf)}},
}