Released
September 14, 2021
Language
Python
license
Apache License 2.0
DGA detective logo in black and red with a drawing of a detective in the middle
The DGA Detective allows analysts and defenders to hunt for C2 domains that were generated by Domain Generation Algorithms (DGAs) and might facilitate control over criminal botnets.
CONTEXT AND BACKGROUND

To sustain their criminal activity, operators of botnets often employ so called Domain Generation Algorithms (DGAs) that rotate Command and Control (C2) domains at great pace. Blocking or seizing such dynamic and random looking C2 domains is a major challenge for cyber defenders and law enforcement agencies. On any given day, botnet operators will use a particular DGA, the time period and a unique input seed to determine which domain name they need to register to facilitate C2 communications with malware-infected computers. Defenders can typically not identify such C2 domains until they get the chance to analyze live traffic (e.g. in a sandbox). By this point, the criminals will likely have registered the C2 domain for that day and already gained or maintained control over their botnet.

DGAs exploit economic asymmetry, since criminals need to register only one of the programmatically possible C2 domains to maintain control of their botnet while defenders must gain control of every potential C2 domain (not just the small number of C2 domains that criminals actually register) that might come out of that DGA on any given day. A single (or small number of) domain registration(s) suffices for the criminals because each bot will typically cycle through all of the possible C2 domains until it manages to connect to a valid C2 server.

Most of the top global malware-based threats utilize such DGA schemes to make their C2 infrastructure resistant to takedown.

SOFTWARE

The DGA Detective determines whether a given domain name was created by a DGA (or not) by means of automated binary classification. The classification methodology relies on training a Temporal Convolution Network (TCN) and the tool has been trained on a large dataset of DGA domains and benign domains  that was supplied by the Shadowserver Foundation. DGA Detective is distributed as a Python package and as a Docker container. It can classify domains off-line (through a command line interface) or on-line (through an API).

SOURCE PROJECT

The DGA Detective software was developed by TNO and The Shadowserver Foundation in the pan-European SOCCRATES innovation project. SOCCRATES received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.

Skip to content