Borg blacklist assimilates Cryptolocker domain name generators
Scrabble dictionary used to out randomly-generated malware-hosting domain names
Cisco has developed a means to accurately identify the fleeting pop-up domains used by some of the world's worst malware.
The platform builds a reputation score that is in part based on word sources including more than 60 dictionaries, Census data and Alexa top 1000 domains.
Using multiple sources helps to identify the nonsensical, garbled domain names that malware algorithms typically produce in their rush to keep command and control servers ahead of blacklists.
"A linear model was built to calculate the randomness score [where] the weights on the features values as well as thresholds involved in the decision were carefully tuned against legitimate domain names in the Alexa dataset as well as [those] generated by a variety of reverse-engineered DGA (domain generation algorithms," Cisco's Talos security team wrote.
The false negative rate was less than two percent and often lower than half a percent when detecting domains from DGAs in use by Cryptolocker, Tinba, and Zeus variants.
In an additional test the Borg platform identified all 13 random domains a Cryptolocker variant used to set up personalised fleecing portals for victims.
It is crunching some 200,000 domains a day under a live Cisco feed and has plucked some 6000 suspicious domains so far, with continual tweaks being made.
"Fighting cyber-criminal is like a chess match, and DGAs adopted today are becoming more complicated," the team says.
The Borg did not say if it will share the platform, nor if adding common names to malicious domains would torpedo the effort.
Bad guys have been working hard to update their DGAs too. Seculert researcher Aviv Raff revealed at Black Hat in Las Vegas last week that the infamous DGA Changer malware sports new functionality to throw fake domains when it detects it has executed in a virtual machine.
That recent manoeuvring in the war between VXers and researchers targets common platforms white hats use to analyse malware while avoiding infecting their own systems.
It is a significant development since it goes beyond merely shutting down malware in the presence of analysis frameworks and actively plies counter-intelligence to lead white hats astray.
"The discovery of this new version of DGA Changer highlights yet again the limitations of sandbox-only prevention approaches and the need to complement them with post-infection analytics based detection techniques," says.
"In the spy versus spy world of cyber security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber threat defense business must continue to adapt as well." ®
Sponsored: Becoming a Pragmatic Security Leader