Fact-checked by Grok 2 weeks ago

Domain generation algorithm

A domain generation algorithm (DGA) is a computational method employed by to dynamically produce a large set of pseudorandom names, enabling covert communication with command-and-control () servers while evading traditional network defenses such as blacklisting. These algorithms typically rely on seeds—such as dates, system times, or predefined values—combined with randomization techniques to generate domains that appear legitimate but are predictable only to the infected host and its controllers. By generating thousands of potential domains periodically (e.g., daily or hourly), DGAs ensure resilience against takedowns, as only a subset of the generated domains are actively registered and used by attackers. The technique emerged in malware ecosystems around 2008, with the Kraken botnet marking one of the earliest documented implementations, followed closely by the widespread Conficker worm, which popularized DGAs through its use of date-based seeds to produce up to 50,000 domains per variant daily. Since then, DGAs have evolved into a staple of advanced persistent threats (APTs) and botnets, appearing in families like Torpig, Nymaim, Gozi, Pushdo, Bamital, Murofet, Astaroth, Bazar, and ShadowPad, each employing variations to suit specific operational needs. For instance, Conficker's algorithm uses the UTC date as input to create pronounceable domains across approximately 110 TLDs (for the Conficker.C variant), while more sophisticated variants like those in Nymaim incorporate predefined patterns or external data sources for added obfuscation. DGAs are frequently paired with fast-flux DNS techniques, where generated domains resolve to multiple changing IP addresses for load balancing, hindering detection by security tools that rely on static indicators. Attackers often register only a fraction of the generated domains—typically those controlled by their —leaving the rest as decoys to overwhelm defenders attempting predictive blocking. This approach not only facilitates persistence but also supports propagation, , and negotiations, posing significant challenges to cybersecurity. Detection of DGAs typically involves models analyzing domain entropy (randomness), n-gram patterns, or clustering similar queries, often integrated into DNS firewalls or endpoint protection platforms. Mitigations include sinkholing predicted domains to redirect traffic, network intrusion prevention systems () with behavioral signatures, and restricting outbound DNS resolutions to trusted resolvers. Despite these countermeasures, the adaptability of modern DGAs—such as those leveraging for wordlist-based generation—continues to drive research into AI-driven defenses. As of 2025, advancements include registered DGAs (RDGAs), where attackers pre-register multiple predicted domains, and typo-based DGAs that exploit common misspellings for added stealth.

Introduction

Definition

A domain generation algorithm (DGA) is a computational method embedded within that algorithmically produces a vast array of names, typically numbering in the thousands daily, intended as prospective command-and-control () endpoints for malicious communication. These algorithms leverage programmatic techniques to create on the fly, allowing infected systems to attempt connections to these generated addresses without relying on hardcoded or pre-configured lists. Central to DGAs are their defining traits: the resulting domains exhibit random or pseudo-random appearances to evade pattern-based detection, yet they are produced deterministically through shared algorithmic parameters known only to both the malware and its operators. The malware systematically queries these domains in a predetermined sequence, resolving and testing them via DNS until it encounters a responsive C2 server controlled by the attacker, thereby establishing a covert channel. This process ensures resilience against disruptions, as the generation is synchronized without direct prior coordination. In contrast to static domains, which remain fixed and vulnerable to by security systems, DGAs facilitate highly dynamic and evasive interactions by continuously cycling through ephemeral addresses that are difficult to predict or block in advance. This foundational mechanism underpins their utility in for resilient operations.

Role in Malware Operations

Domain generation algorithms (DGAs) serve as a core mechanism in operations to establish and maintain resilient command-and-control () communications. By algorithmically producing a large set of pseudo-random domain names, DGAs allow infected hosts to dynamically locate servers without relying on static, easily blockable endpoints. This approach ensures that can receive instructions, exfiltrate data, and coordinate attacks even in adversarial environments where defenders actively disrupt communications. The strategic benefits of DGAs for attackers are multifaceted, primarily centered on evasion and operational continuity. They render traditional takedown efforts, such as domain seizures, largely ineffective because malware generates thousands of potential domains daily or hourly, far exceeding what attackers need to register in advance—typically just one or a few active ones. This scalability supports massive infections, enabling widespread distribution of like , which used time-seeded DGAs to persist across global networks. Furthermore, DGAs integrate seamlessly with complementary evasion tactics, such as fast flux DNS, where domain resolutions rapidly cycle through IP addresses, compounding the difficulty of disrupting channels. In typical operations, the DGA workflow begins on the infected , where the executes —often seeded by the current date, a hardcoded key, or —to produce a list of domains. The then attempts to resolve and connect to these domains in sequence or parallel, querying DNS until it reaches an attacker-controlled one that resolves to the active server. If all generated domains fail (e.g., due to blocking), the falls back to predefined alternatives, such as hardcoded addresses, ensuring uninterrupted connectivity. Attackers, anticipating 's output, pre-register a minimal subset of these domains to C2 infrastructure, minimizing costs while maximizing resilience.

Historical Development

Early Implementations

The evolution of command-and-control (C2) mechanisms in the late 1990s initially relied on hardcoded names or addresses directly in the malicious code, which allowed infected systems to connect to attacker-controlled servers but made takedowns straightforward once those fixed endpoints were identified. By the early , attackers shifted to fast flux techniques, where DNS records for a single were rapidly rotated to point to multiple addresses, enhancing resilience against blocking efforts and laying the groundwork for more dynamic resolution strategies. These precursors highlighted the need for algorithmic approaches to generate endpoints on the fly, evading static blacklisting while maintaining C2 communication. The first notable implementation of a domain generation algorithm (DGA) appeared in the banking trojan in 2008, marking a pivotal shift toward automated domain creation for evasion. employed a simple pseudo-random number generator (PRNG) seeded by the number of seconds since January 1, 1970 ( time in UTC), divided by 512 to provide at roughly 8-minute intervals. This seed drove the selection of two words from a hardcoded list of 384 terms, concatenated to form hostnames appended with ".net", resulting in up to 32,768 possible domains per seed value and complicating efforts to preemptively block communications. Later that year, the worm introduced a more sophisticated DGA in its versions A and B, generating 250 domains daily using a pseudo-random domain generation algorithm seeded by the current UTC date across various top-level domains (TLDs). version C, released in early 2009, dramatically escalated this by producing 50,000 domains per day distributed over approximately 110 TLDs, leveraging a similar date-based pseudo-random generation but with expanded randomization to overwhelm potential blocking. This proliferation prompted unprecedented global collaboration through the Conficker Working Group, which coordinated with registrars and TLD operators to the generated domains and mitigate the worm's spread.

Advancements and Proliferation

In the mid-, domain generation algorithms evolved from primarily pseudo-random methods to more sophisticated dictionary-based and hybrid variants, aiming to produce domains that mimic legitimate human-readable names and evade detection. For instance, the Torpig , initially deployed in 2009, incorporated elements combined with time-based seeds in its later variants to generate wordlist-derived domains, enhancing resilience against blacklist-based blocking. Similarly, the Gozi banking in the early 2010s adopted dictionary-based DGAs, drawing from predefined wordlists to create plausible top-level domains that blended with benign traffic. These advancements marked a shift toward hybrid approaches that integrated linguistic patterns with algorithmic randomness, making generated domains harder to distinguish from legitimate ones. The proliferation of DGAs accelerated as malware authors integrated them into diverse threat vectors, particularly ransomware and advanced persistent threats (APTs). Ransomware families like CryptoWall, emerging in 2014, employed DGAs to dynamically resolve command-and-control (C2) servers, complicating takedown efforts by generating thousands of potential domains daily. This adoption extended DGAs beyond botnets to broader ecosystems; by the 2020s, analyses indicated over 50 malware families incorporating DGAs, as documented in threat intelligence frameworks like MITRE ATT&CK. Key milestones in DGA development during 2013–2015 included the emergence of variants designed to resist machine learning-based detection, with algorithms incorporating polymorphic structures and contextual entropy to foil statistical classifiers. Building on early implementations like Conficker's time-seeded pseudo-random generation, these evasive techniques proliferated in families such as Necurs, prioritizing adaptability over sheer volume. In the , attackers have explored blockchain-based command-and-control using smart contracts on platforms like for decentralized , as observed in state-sponsored campaigns by North Korean actors, providing resilient communication alternatives to traditional domain reliance. As of 2025, further advancements include the rise of Registered Domain Generation Algorithms (RDGAs), first prominently observed in 2024 with malware like Revolver Rabbit, which algorithmically registers large volumes of domains (e.g., over 500,000 .bond domains) to enhance evasion and scalability in C2 infrastructure.

Operational Mechanics

Algorithmic Foundations

Domain generation algorithms (DGAs) rely on a core deterministic function that is embedded in both the malware client and the attacker's command-and-control (C2) server, allowing them to independently generate identical sequences of domain names without requiring prior direct communication. This shared algorithm acts as a rendezvous mechanism, ensuring that infected hosts and the C2 infrastructure synchronize on the same domains at predetermined intervals, typically daily, to facilitate resilient communication even if some domains are blocked. The deterministic nature of this function guarantees reproducibility, as both parties execute the same computational steps from a common starting point, thereby maintaining operational coordination in adversarial network environments. Generated domains produced by DGAs generally consist of 8 to 20 characters in the portion, with medians often ranging from 9 to 16 characters, followed by common top-level domains (TLDs) such as .com or .net to blend with legitimate traffic. This structure is designed to mimic registered domains while maximizing the volume of potential points, though the exact length varies by implementation to balance evasion and practicality. Many DGAs incorporate elements that enhance pronounceability, such as selecting from character sets that form syllable-like patterns, which facilitates easier manual registration by attackers when needed for operational fallback. The apparent randomness of DGA-generated domains stems from the use of pseudo-random number generators (PRNGs), which produce sequences that appear unpredictable but are fully deterministic when initialized with a predictable , ensuring both and attacker generate the same output. Common PRNG implementations, such as linear congruential generators, iteratively compute indices to select characters from predefined alphabets, yielding reproducible yet varied domain lists that evade static . This controlled randomness allows DGAs to generate thousands of domains per cycle while preserving the synchronization essential for resilience.

Seed and Generation Process

The seeding mechanism in domain generation algorithms (DGAs) relies on deterministic inputs to ensure that infected hosts generate identical domain lists at the same time, enabling coordinated command-and-control communication. Common seeds include the current date in YYYYMMDD format, the malware version number, or dynamic external data such as foreign exchange rates or trends. For instance, the worm uses the current UTC date as its primary seed to synchronize daily domain production across bots. More advanced variants, like Bedep, incorporate real-time exchange rates fetched from financial websites, while Torpig leverages as an unpredictable seed to complicate . The domain generation process unfolds in a structured sequence of computational steps to produce a large set of pseudorandom domains from the seed:
  1. Initialize with seed: The seed is fed into a pseudo-random number generator (PRNG), such as a (LCG) or , or directly into a to establish a repeatable starting state.
  2. Generate character strings: Iteratively produce strings of characters (typically lowercase letters a-z and sometimes digits) using the PRNG output via to select characters or by hashing the seed concatenated with an incrementing counter to derive byte sequences, which are then converted to readable domain labels.
  3. Append TLD: Select and attach a (TLD) from a hardcoded list of common extensions (e.g., .com, .net, .org) using further PRNG iterations or sequential cycling to vary the full domain.
  4. Output domain list: Compile a batch of domains (often thousands per cycle) for the to attempt DNS resolution in order, stopping at the first successful connection to the attacker-controlled server.
This deterministic process ensures reproducibility while appearing random to external observers. A representative example of a basic hash-based DGA employs cryptographic hashing to derive domains, as utilized in families like Dyre. The is formed by processing a truncated output, such as the first 8-16 bytes of SHA-256 applied to the seed concatenated with a , then encoding or converting to alphanumeric characters. Formally, for a given seed s (e.g., YYYYMMDD date string) and i iterating from 0 to produce multiple domains: \text{hash} = \text{SHA-256}(s || i) \text{domain} = \text{base64}(\text{hash}[0:\text{length}]) + \text{.tld} where || denotes concatenation, \text{base64} encodes the byte slice to a domain-safe string of specified length, and tld is selected from a list. This method, or variants using MD5 for hexadecimal digests, allows efficient generation of vast domain sets with minimal computational overhead.

Variants and Examples

Basic Pseudo-Random DGAs

Basic pseudo-random domain generation algorithms (DGAs) rely on mathematical functions, such as pseudo-random number generators (PRNGs), to produce domain names that appear as random strings of characters, often exhibiting high to evade pattern-based detection. These algorithms typically seed the PRNG with deterministic inputs like the current date or , ensuring all infected hosts generate the same set of domains synchronously without requiring external coordination. The resulting domains, such as "xjdakfl.com", consist of nonsensical combinations of letters and sometimes numbers, appended to common top-level domains (TLDs) like .com or .net, and are designed to be unpredictable yet reproducible across the . Such DGAs can generate thousands of domains daily—ranging from 250 in early variants to up to 50,000 in more advanced ones—allowing to attempt connections to a large pool while only querying a fraction to locate the active command-and-control () server. A seminal example of a basic pseudo-random DGA is found in the worm, which emerged in 2009 and infected millions of systems worldwide. seeds its PRNG with the current UTC date and uses an arithmetic-based algorithm to produce 50,000 potential 8- to 10-character domain names daily, distributed across 110 TLDs. It then selects and queries only 500 of these domains once per day, employing to map PRNG outputs to alphanumeric characters, ensuring high randomness without linguistic patterns. This mechanism overwhelmed traditional blocking efforts, as the sheer volume made pre-registration of all domains impractical, contributing to Conficker's resilience despite coordinated takedown attempts by over 100 organizations. Another illustrative case is the Bamital trojan, active in the 2010s and primarily used in ad-fraud botnets that redirected search queries to monetize infections. Bamital's DGA seeds a PRNG with the current date obtained by querying google.com, generating five short, gibberish domain names (typically 10-15 characters) per day, each appended to three TLDs (.info, .in, .co.cc) for a total of 15 candidates. The malware resolves and contacts all generated domains to reach its C2 infrastructure, producing outputs like "jytajigefynizer.info" that mimic random noise to blend with legitimate traffic. This time-seeded approach allowed Bamital to maintain communication agility in financial fraud operations, infecting hundreds of thousands of hosts before disruptions in 2012.

Dictionary-Based and Hybrid DGAs

Dictionary-based domain generation algorithms (DGAs) employ predefined lists of words, often embedded within the or derived from public sources, to construct domain names by concatenating or permuting these terms. This approach produces domains with relatively low compared to purely pseudo-random methods, making them resemble legitimate human-readable domains and thus more challenging to detect via statistical like high-entropy checks. By blending common words, such as "apple" and "tree" to form "appletree.net", these DGAs enhance stealth while maintaining the dynamic nature needed for command-and-control () communication in operations. A prominent example is the Suppobox malware family, which draws from an embedded wordlist of 384 terms to generate domains by randomly selecting and concatenating two words, appending the ".net" (TLD). These domains remain active for short periods, such as 12 hours, 5 minutes, or 20 seconds, with lengths ranging from 8 to 26 characters, allowing the malware to cycle through potential endpoints rapidly. Similarly, the Gozi banking utilizes words extracted from the U.S. as its dictionary, producing multi-word domains like "amongpeaceknownlife.com" that are valid for 1 to 3 months and incorporate 12 specific TLDs. The Matsnu malware follows a comparable pattern, using an embedded wordlist to create three domains every three days, each 12 to 24 characters long with a single TLD, emphasizing brevity and periodicity for evasion. Hybrid DGAs integrate dictionary-based elements with pseudo-random number generators (PRNGs) or time-dependent seeds to further obscure patterns and increase unpredictability. This combination allows to select words from lists via hashed seeds or permute them algorithmically, blending semantic legitimacy with randomization to bypass both signature-based filters and behavioral heuristics. For instance, the Nymaim employs a dictionary of words permuted using a date-seeded PRNG, generating pronounceable domains that evade simple while producing thousands of variants daily. Another case is the Rovnix , which hashes time-based seeds against a wordlist derived from the U.S. to select and concatenate terms, yielding domains active for periods of up to three months and incorporating variable TLDs for added resilience. These hybrids, observed in proliferating since the early , prioritize evasion of entropy-based detection by maintaining word-like structures amid randomized selection. Recent evolutions in DGA variants include registered domain generation algorithms (RDGAs), where attackers pre-register a subset of generated domains for use in spam, phishing, and malware distribution campaigns, observed increasingly since 2024. Additionally, typo DGAs, which generate domains with intentional misspellings of legitimate sites for redirection chains, emerged in campaigns as of early 2025, enhancing evasion against traditional detection methods.

Detection Techniques

Signature-Based and Statistical Methods

Signature-based detection methods for domain generation algorithms (DGAs) rely on predefined patterns or rules to identify known malicious domain structures. These approaches often employ regular expressions (regex) or tools like to match specific signatures derived from reverse-engineered malware samples. For instance, in the case of the worm, researchers developed Snort (IDS) rules targeting the worm's payloads, which included unique byte sequences such as "|e8 ff ff ff ff c1|" for Conficker.A variants. These rules enabled network monitoring tools to flag traffic associated with Conficker infections by inspecting SMB exploits, complementing efforts to detect DGA activity through domain analysis. Additionally, Conficker's DGA used a fixed list of top-level domains (TLDs), such as .com, .net, and .org, allowing regex patterns to filter domains ending in these predictable suffixes while exhibiting random (SLD) strings. Blacklisting predicted domains, generated via emulation of the DGA algorithm, further supported this method; security teams preemptively registered thousands of Conficker-generated domains to redirect traffic and monitor size. Statistical methods complement signatures by analyzing probabilistic characteristics of domain names, focusing on deviations from legitimate distributions without relying on exact matches. A primary technique is entropy calculation, which quantifies the randomness of character distributions in domain strings; DGA domains, due to their pseudo-random generation, typically exhibit higher than human-readable legitimate domains. Shannon entropy H for a is computed as: H = -\sum_{i=1}^{n} p_i \log_2 p_i where p_i is the probability of each character in the , and n is the size (e.g., for lowercase letters). In practice, average and standard deviation of values across NXDomain responses (non-existent domains) help cluster suspicious queries; for example, domains exhibit higher than typical benign domains, which have lower values due to linguistic patterns. N-gram analysis extends this by examining sequences of characters (unigrams for single characters, for pairs) and comparing their frequency distributions to known legitimate sets using metrics like the or Kullback-Leibler (KL) divergence. The measures overlap between n-gram sets: JI(A, B) = \frac{|A \cap B|}{|A \cup B|}, where low similarity to benign corpora flags DGA domains. For , bigram analysis achieved 100% detection accuracy with minimal false positives when applied to groups of 500 domains per TLD, as the worm's produced non-overlapping, uniformly random n-grams unlike dictionary-based legitimate names. Tools implementing these methods, such as DNS sinkholes for , resolved predicted domains to controlled IP addresses, disrupting communications across 110 TLDs.

Machine Learning and Behavioral Analysis

Machine learning techniques have advanced the detection of domain generation algorithms (DGAs) by enabling dynamic analysis of domain names and DNS traffic patterns that evolve beyond static signatures. Supervised learning models, such as s, classify domains as malicious by extracting linguistic features like domain length, vowel-to-consonant ratios, and character distributions, achieving high accuracy in identifying pseudo-randomly generated names. For instance, a classifier trained on such features demonstrated an 83% recall rate at a 0.001 when evaluated on diverse DGA families. These models are trained on labeled datasets of benign and DGA-generated domains, allowing them to adapt to known variants while providing interpretable decision boundaries through feature importance rankings. Unsupervised learning approaches, including clustering algorithms, detect DGAs by grouping DNS queries without prior labels, revealing anomalous clusters indicative of botnet activity. Methods like the Clustering and Capturing Group Activities (CCGA) framework analyze DNS traffic to identify coordinated query patterns from infected hosts, leveraging density-based clustering to isolate DGA-related groups even in unlabeled data. This is particularly effective for discovering novel DGAs, as it focuses on behavioral similarities in query volumes rather than predefined rules. models further enhance detection through sequence modeling; (LSTM) networks process domain names as character sequences to predict DGA generation, capturing temporal dependencies in algorithmic patterns. An LSTM-based classifier achieved an area under the curve () of 0.9993 for and a 90% detection rate at a 1:10,000 , outperforming traditional methods by automating from raw strings. Recent advancements as of 2025 include Transformer-based models and nature-inspired optimized approaches, improving accuracy and adaptability against evolving DGAs. Behavioral analysis complements by monitoring runtime DNS traffic for that signal DGA usage, such as sudden spikes in query volumes or elevated non-existent (NXDOMAIN) response rates from compromised hosts. In operations, infected machines often generate hundreds of failed queries per hour to randomized domains, creating detectable surges; for example, variants like produced queries from an average of 742 infected hosts daily in monitored ISP networks. models apply statistical thresholds, like the three-sigma rule, to flag deviations in query rates, enabling real-time identification without domain-specific knowledge. Elastic Security's DGA detection package, released in the 2020s, integrates supervised jobs on network logs to score DNS queries, detecting 82% of DGA domains while using unsupervised for high-probability alerts based on source IP patterns. This technique maps to ATT&CK T1568.002, which emphasizes monitoring abnormal DNS query rates and NXDOMAIN volumes as key indicators of dynamic resolution via DGAs.

Countermeasures

Domain Prediction and Registration

Defenders counter domain generation algorithms (DGAs) by reverse-engineering infected samples to extract the underlying values, functions, or pseudorandom number generators that drive domain creation. This process involves disassembling the to simulate the DGA's logic, allowing researchers to replicate the algorithm and forecast domains that will be queried in the future, often extending predictions months ahead based on temporal seeds like dates. Once the DGA is modeled, tools generate exhaustive lists of prospective domains, enabling proactive measures before attempts connections. Following prediction, collaborative efforts focus on registering or blocking these domains through sinkholing, where defenders seize control to redirect traffic and gather intelligence on infections. A seminal example is the Conficker Working Group, formed in 2009, which coordinated with over 300 organizations, , and 110 registries to preemptively register or block domains generated by the worm's DGA. For variant D, this involved handling 50,000 domains per day across multiple TLDs, with the group assigning predicted domains to six controlled sinkholes for monitoring activity while providing daily updated lists to registrars for enforcement. In contemporary practice, automated systems leverage to refine predictions and facilitate sinkholing, such as by integrating with DNS resolvers to preemptively null-route traffic to anticipated DGA domains. Despite these advances, domain prediction and registration face significant challenges, particularly in for high-volume DGAs that can produce tens of thousands of unique domains daily, overwhelming manual or semi-automated registration processes. The financial burden is substantial, with bulk registrations costing thousands of dollars per day in fees, compounded by the need for rapid coordination across registrars to avoid attackers claiming domains first. Legally, bulk registrations conflicts with holders or accusations of if not properly vetted, necessitating partnerships with authorities and TLD operators to ensure compliance and mitigate disputes over legitimate name collisions.

Network-Level Defenses

Network-level defenses against domain generation algorithms (DGAs) primarily operate at the DNS and broader layers to intercept and disrupt malicious traffic before it reaches command-and-control () servers. These strategies focus on blocking and , leveraging the centralized nature of DNS to enforce policies across an organization's network. By analyzing DNS queries in real time, defenders can identify and mitigate DGA activity without relying solely on preemptive . DNS filtering forms a core component of these defenses, with sinkholing being a prominent where traffic to predicted or detected DGA-generated domains is redirected to a controlled server, preventing communication with actual infrastructure. This approach is particularly effective for local networks, as it allows administrators to forge NXDOMAIN or IP-null responses for malicious domains, thereby isolating infected hosts at a lower cost than registering all possible generated domains. For instance, network intrusion prevention systems () can integrate sinkholing with signature-based detection to block DGA traffic identified through reverse-engineered algorithms or observed query patterns. Rate-limiting excessive DNS queries further enhances filtering by throttling high-volume requests typical of DGA bots, which often generate thousands of lookups per day to find active domains; this mitigates amplification risks and forces attackers to reveal patterns through anomalous behavior. Cisco exemplifies such integrated filtering, using AI-driven analysis of over 700 billion daily DNS requests to predict and block DGA domains in , achieving proactive enforcement across all ports and protocols. Beyond DNS-specific measures, broader network-level defenses include (EDR) systems that scan for DGA generation code embedded in , enabling of compromised devices before they initiate queries. EDR tools monitor behavioral indicators, such as algorithmic domain creation routines, to quarantine endpoints and prevent lateral movement. Network segmentation complements this by dividing infrastructure into isolated zones, limiting botnet traffic propagation; for example, virtual local area networks (VLANs) or micro-segmentation policies restrict infected segments from accessing critical systems, containing DGA-enabled outbreaks. These methods draw on behavioral query patterns, like high in names, to trigger automated without disrupting legitimate traffic.

References

  1. [1]
    Domain Generation Algorithms, Sub-technique T1568.002 - Enterprise
    Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic.
  2. [2]
    Threat Brief: Understanding Domain Generation Algorithms (DGA)
    Feb 7, 2019 · A Domain Generation Algorithm is a program that is designed to generate domain names in a particular fashion. Attackers developed DGAs so ...<|control11|><|separator|>
  3. [3]
    Understanding domain generation algorithms (DGAs) | CXO - Zscaler
    Nov 21, 2024 · A DGA is an algorithm that generates a seemingly random set of domain names on the fly that malware uses to communicate with a C2 server.
  4. [4]
    Explained: Domain Generating Algorithm | Malwarebytes Labs
    Dec 6, 2016 · History. Kraken was the first malware family to use a DGA (in 2008) that we could find. Later that year, Conficker made DGA a lot more famous.What's The Use? · More Details About How It... · Summary
  5. [5]
    https://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
  6. [6]
    What is a domain generation algorithm (DGA)? - TechTarget
    Feb 27, 2025 · A domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains to evade security ...
  7. [7]
    Domain Generation Algorithms (DGA): Definition and Impact - Hunt.io
    Feb 4, 2025 · DGAs are programs that generate many domain names dynamically to be communication points for malware.How Dgas Work · Dgas And Command-And-Control... · Detection Techniques For...
  8. [8]
    What is Domain Generation Algorithm: 8 Real World DGA Variants
    Domain Generation Algorithms - DGA - is a methodology for malware to form a command and control (C&C / C2) connection without being detected.
  9. [9]
    [PDF] A Comprehensive Measurement Study of Domain Generating Malware
    Aug 10, 2016 · Security researchers have previously examined DGAs and proposed approaches to detect and cluster DGA-based malware [13, 18, 43, 54]. Our study.
  10. [10]
    How Domain Generation Algorithms Impact Network Security
    Dec 21, 2023 · A DGA is, in its simplest form, a programme or script that generates a large number of domain names. DGAs are frequently used by cybercriminals ...Attacker's Advantage · How Dga Works? · Utilizing Bps For Enhanced...
  11. [11]
    Hacker Tactics - Part 1: Domain Generation Algorithms - Anomali
    Aug 31, 2017 · The evolution of DGAs is a traditional cat and mouse game between malware authors and cyber defenders. In the late 1990's, malware began ...
  12. [12]
    [PDF] End-to-End Analysis of a Domain Generating Algorithm Malware ...
    Jul 31, 2013 · Kraken was one of the first malware families to use a DGA, beginning around April of 20081. Although several families such as Torpig and ...<|separator|>
  13. [13]
    [PDF] Detecting Algorithmically Generated Malicious Domain Names
    For instance, Conficker-A. [27] bots generate 250 domains every three hours while us- ing the current date and time at UTC (in seconds) as the seed, which in ...Missing: DGA MD5
  14. [14]
    [PDF] Conficker Summary and Review | ICANN
    May 7, 2010 · The Conficker worm first appeared in October 2008 and quickly earned as much notoriety as Code Red1, Blaster2, Sasser3 and SQL Slammer4. The ...Missing: details | Show results with:details
  15. [15]
    Botnet DGA Domain Name Classification Using Transformer ...
    Aug 28, 2023 · DGAs usually combine time, dictionary and hard-coded constants to generate domain names [14], [15], such as the HTTP-based botnet Torpig [14], ...
  16. [16]
    [PDF] A Partial Knowledge-based Domain Generation Algorithm for Botnets
    Dec 8, 2022 · Abstract—Domain generation algorithms (DGAs) can be cate- gorized into three types: zero-knowledge, partial-knowledge, and full-knowledge.
  17. [17]
    A Taxonomy of Domain-Generation Algorithms - ResearchGate
    Aug 9, 2025 · This detailed taxonomy of DGAs highlights the problem and offers solutions to combat DGAs through detection of drive-by download and C&C ...
  18. [18]
    The Evolution of Ransomware: From CryptoWall to CTBLocker
    CryptoLocker used a Domain Generation Algorithm (DGA) to generate a list of C&C servers; CryptoWall uses the RC4 algorithm to encrypt all the communication ...
  19. [19]
    Suckfly, Group G0039 - MITRE ATT&CK®
    Domain, ID, Name, Use. Enterprise, T1059 .003 · Command and Scripting Interpreter: Windows Command Shell. Several tools used by Suckfly have been ...Missing: DGA | Show results with:DGA
  20. [20]
    Among cyber-attack techniques, what is a DGA? - BlueCat Networks
    Jun 4, 2021 · According to Netlab 360, at least 49 malware families use DGA domains. This includes the venerable Conficker, which is probably not the first ...
  21. [21]
    Stealthy Domain Generation Algorithms (DGAs) | Request PDF
    In this paper, we address how DGA-generated domain names can be detected by means of machine learning and deep learning. We first present an extensive ...
  22. [22]
    North Korean threat actors turn blockchains into malware delivery ...
    Oct 17, 2025 · Attackers have learned to use these as command-and-control (C2) servers to return malicious payloads when the contracts execute after specific ...Missing: DGAs 2020s
  23. [23]
    [PDF] Domain Generation Algorithm (DGA) Detection - UNB Scholar
    The trends in an algorithmic name generation have been evident by many malware families like Conficker, Suppobox and Kraken (generates English domain names),.
  24. [24]
    An Analysis of Conficker C - Computer Science Laboratory
    Apr 4, 2009 · Among the key changes, Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points ...Missing: sinkhole | Show results with:sinkhole
  25. [25]
    [PDF] Trojan.Bamital - Support Documents and Downloads
    When a computer is infected with Bamital, all three modules are present. The main module is responsible for providing the framework for the other components.
  26. [26]
    Real-Time Detection of Dictionary DGA Network Traffic Using Deep ...
    Feb 22, 2021 · We created a novel hybrid neural network, Bilbo the “bagging” model, that analyses domains and scores the likelihood they are generated by such algorithms.
  27. [27]
    A Word-Level Analytical Approach for Identifying Malicious Domain ...
    Apr 28, 2021 · In Rovnix [6], a type of dict-DGA malware, domain names are generated by concatenating words from dictionaries, such as accelerateaccountant ...
  28. [28]
    Rovnix and the Declaration Generation Algorithm
    Oct 10, 2014 · Since the success of Conficker in 2008, multiple malware families have started using Domain Generation Algorithms (DGAs) to make their ...Missing: dictionary | Show results with:dictionary
  29. [29]
    https://www.mdpi.com/2079-9292/10/9/1039
  30. [30]
    Detecting Conficker - The Honeynet Project
    We have been researching this piece of malware recently, with a focus on how to detect Conficker-infected machines. Felix and I had a discussion ...Missing: analysis | Show results with:analysis
  31. [31]
    [PDF] Conficker Summary and Review | ICANN
    May 7, 2010 · Once enlisted, the malware running on infected computers uses a domain generation algorithm (DGA) to create a daily list of domain names.
  32. [32]
    [PDF] From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based ...
    Nov 1, 2010 · In the past, malware used IP fast-fluxing, where a single domain name pointed to several IP ad- dresses to avoid being taken down easily.
  33. [33]
    [PDF] Character Level based Detection of DGA Domain Names
    Domain. Generation Algorithms work by having the malware accessing some available source of randomness and inputting it into an algorithm that generates ...
  34. [34]
    Clustering and Capturing Group Activities for DGA-Based Botnets ...
    In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic.
  35. [35]
    Predicting Domain Generation Algorithms with Long Short-Term Memory Networks
    ### Summary of 'Deep Learning for Classifying Algorithmically Generated Domains'
  36. [36]
    [PDF] Detecting and Tracking the Rise of DGA-Based Malware - USENIX
    executes a domain generation algorithm (DGA) that, given a random seed (e.g., the. Detecting and Tracking the Rise of. DGA-Based Malware. Manos antonakakis ...Missing: mechanism | Show results with:mechanism
  37. [37]
    Real-Time Detection and Multi-Class Classification of DGAs With HybridBERT
    ### Summary of Real-Time Detection of DGAs Using Anomaly Detection on Query Volumes and NXDOMAIN Responses
  38. [38]
    DGA Detection with Elastic Security supervised machine learning
    Dec 18, 2020 · We are releasing a supervised ML solution package to detect domain generation algorithm (DGA) activity in your network data.
  39. [39]
    How Cyber Criminals Bypass Defenses Using DGA - Infoblox Blog
    Jun 8, 2020 · In this blog, we will explore an advanced technique called Domain Generation Algorithm (DGA) used by cyber criminals to circumvent even the most sophisticated ...Missing: examples | Show results with:examples
  40. [40]
    How to Efficiently Detect Domain Generation Algorithms (DGA) in ...
    Mar 17, 2020 · We showed how the Calico Enterprise DGA machine learning algorithm can detect any present or future APTs using DGA to connect back to the C2 servers.<|separator|>
  41. [41]
    The Story of Conficker and the Industry Response - CircleID
    Nov 6, 2009 · Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs ...Missing: C | Show results with:C<|separator|>