News

Spamhaus Technology adds DGA domains to RPZ

September 25, 2015 by Barry Branagh

Domain Generated Algorithm (DGA) domains allow malware to periodically create a list of tens of thousands of new DNS names for controller servers. A number of these domains could be active at any time, although typically only a couple of the domains will be actually registered and working.

Command and Control Machines

Botnets need to be delivered commands to do their owner’s bidding. The traditional way to pass commands to an infected machine is from a command and control (C&C) server. However this introduces a single point of failure, so if an infected machine has no other means of contacting its C&C server, it can cycle through the DGA created domains to try to regain contact. In essence it is a form of camouflage or obfuscation.

Bot herders are continuously coming up with a number of mechanisms to hide the location of the C&C servers, thus making the chain of command even more elusive. Spamhaus Technology Response Policy Zones (RPZ) use domain and IP reputation data from Spamhaus’ real-time threat intelligence data to protect users’ computers from connecting to harmful sites as soon as the domains are registered and before they can compromise users’ computers and harm your network.

Spamhaus adds DGA Domains to its RPZ

Last Thursday Spamhaus Technology added DGA domains to the Spamhaus Technology Botnet C&C RPZ. This resulted in the RPZ increasing in size from around 500 entries to 1.2 million.

The DGA domain data is updated twice a day. Currently it contains DGA domains for a 7-day period: the current day and three days either side. Users of the Botnet C&C RPZ should expect a change of circa 15-30% in the DGA data every 24 hours. Given the nature of the DGA domains’ dataset customers should expect some churn as each new days’ worth of data is added and the earliest day’s worth of data is removed.

Whilst the increase in the RPZ entries would not have caused any issues for users of the Botnet C&C RPZ, we acknowledge that customers would prefer prior warning when planned alterations result in a large change to one of the zones. This has been noted and going forward we aim to now announce such changes at least 48 hours prior to initiating them. We apologise for any concerns and appreciate our customers’ feedback.

News
August 16, 2018

Connect with Spamhaus at VB2018

The Spamhaus team are looking forward to being part of VB2018, in Montreal. The world’s leading IT security experts, from...

Read more
News
August 16, 2018

Connect with Spamhaus at GovWare 2018 SICW

Spamhaus Technology is delighted to be part of GovWare 2018, at Singapore International Cyber Week. GovWare is focused on “Forging...

Read more
News
July 11, 2018

Brian Krebs | Bitcanal – “Hijack Factory” Shunned from Web

Brian Krebs covers the Bitcanal “Hijack Factory” story which hit the news this week. Bitcanal, has continually hijacked Border Gateway...

Read more

Engage with us on

It’s time to protect your organization

Start your free trial