Spamhaus Technology adds DGA domains to RPZ

Domain Generated Algorithm (DGA) domains allow malware to periodically create a list of tens of thousands of new DNS names for controller servers. A number of these domains could be active at any time, although typically only a couple of the domains will be actually registered and working.

Command and Control Machines

Botnets need to be delivered commands to do their owner’s bidding. The traditional way to pass commands to an infected machine is from a command and control (C&C) server. However this introduces a single point of failure, so if an infected machine has no other means of contacting its C&C server, it can cycle through the DGA created domains to try to regain contact. In essence it is a form of camouflage or obfuscation.

Bot herders are continuously coming up with a number of mechanisms to hide the location of the C&C servers, thus making the chain of command even more elusive. Spamhaus Technology Response Policy Zones (RPZ) use domain and IP reputation data from Spamhaus’ real-time threat intelligence data to protect users' computers from connecting to harmful sites as soon as the domains are registered and before they can compromise users’ computers and harm your network.

Spamhaus adds DGA Domains to its RPZ

Last Thursday Spamhaus Technology added DGA domains to the Spamhaus Technology Botnet C&C RPZ. This resulted in the RPZ increasing in size from around 500 entries to 1.2 million.

The DGA domain data is updated twice a day. Currently it contains DGA domains for a 7-day period: the current day and three days either side. Users of the Botnet C&C RPZ should expect a change of circa 15-30% in the DGA data every 24 hours. Given the nature of the DGA domains’ dataset customers should expect some churn as each new days’ worth of data is added and the earliest day's worth of data is removed.

Whilst the increase in the RPZ entries would not have caused any issues for users of the Botnet C&C RPZ, we acknowledge that customers would prefer prior warning when planned alterations result in a large change to one of the zones. This has been noted and going forward we aim to now announce such changes at least 48 hours prior to initiating them. We apologise for any concerns and appreciate our customers’ feedback.

Related Stories

Want to find out more?
...please get in touch

Get in touch

Get in touch

Latest News

PIPELINE Security partnership delivers advanced threat intelligence to Asia Pacific.

New partnership between Tokyo-based PIPELINE Security and Spamhaus Technology will bring faster, easier access to global cyber threat intelligence.

Read more

Virus Bulletin reviews the latest Spamhaus Botnet Threat Report

Independent researchers review the latest annual Spamhaus Botnet Threat Report.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.