DGA Clustering and Analysis: Mastering Modern, Evolving Threats, DGALab

  • Alexander Chailytko Malware Reverse Engineering Team Check Point Software Technologies
  • Aliaksandr Trafimchuk Malware Reverse Engineering Team Check Point Software Technologies

Abstract

Domain Generation Algorithms (DGA) is a basic building block used in almost all modern malware. Malware researchers have attempted to tackle the DGA problem with various tools and techniques, with varying degrees of success. We present a complex solution to populate DGA feed using reversed DGAs, third-party feeds, and a smart DGA extraction and clustering based on emulation of a large number of samples. Smart DGA extraction requires no reverse engineering and works regardless of the DGA type or initialization vector, while enabling a cluster-based analysis. Our method also automatically allows analysis of the whole malware family, specific campaign, etc. We present our system and demonstrate its abilities on more than 20 malware families. This includes showing connections between different campaigns, as well as comparing results. Most importantly, we discuss how to utilize the outcome of the analysis to create smarter protections against similar malware.

References

https://en.wikipedia.org/wiki/Domain_generation_algorithm
http://www.cuckoosandbox.org/about.html
https://intel.criticalstack.com/
Published
2016-05-12
How to Cite
CHAILYTKO, Alexander; TRAFIMCHUK, Aliaksandr. DGA Clustering and Analysis: Mastering Modern, Evolving Threats, DGALab. The Journal on Cybercrime & Digital Investigations, [S.l.], v. 1, n. 1, may 2016. ISSN 2494-2715. Available at: <https://journal.cecyf.fr/ojs/index.php/cybin/article/view/10>. Date accessed: 15 dec. 2017. doi: https://doi.org/10.18464/cybin.v1i1.10.
Section
Conference short papers