A DOMAIN GENERATION ALGORITHM, or DGA, is used in a botnet attack. In order to understand why something like a domain name algorithm would be useful, it helps to understand how a botnet attack works. Let’s say a computer, mobile device or smart appliance gets infected with a virus that subsequently links it to a network of other infected computers. We now refer to these nodes as zombie (or slave) computers because, through malware infection, they can be remotely controlled by an outside entity, often referred to as the “master.”
Botnets can consist of hundreds or thousands of devices, and cybercriminals have many uses for such a large network at their disposal. They are used for spam attacks that generate click-through revenue; for distributed denial of service attacks, as used in identity and cyberfinancial crime operations; or as vehicles for ransomware in which data is compromised until a payment is received. These zombie computers must get direction in order to carry out their pillage and plunder, but also need to be smart enough to evade antivirus safeguards.
To do this, a domain generation algorithm is implemented to create pseudorandom domain names, which are later called at set time intervals. These domain names are usually not registered, and may sound nonsensical, like oumaac[dot]com or qfiadxb[dot]net. The master Command and control server recognizes some of the domain names that are produced, and provides them with instructions. After a short period of time, these domains names are shelved while newer sets are instructed and executed. This process is known as domain fluxing, which ultimately enables domains and IP addresses associated with illegal activity to be less likely traced and blacklisted.
Cybereason, a web security company, published a report which suggested that in addition to the unpredictability of a domain generation algorithm, it is fairly easy to implement and modify to avoid outright prevention. The sheer quantity of domain names created by a domain name algorithm can confound security analysts of all experience levels, who have to check the validity of thousands of domains for blacklisting, and them dump them into a sinkhole server in which a call goes nowhere and circles back on itself.
Unfortunately, the goal of most malware involved in a botnet attack is to remain undetected, so a user may have no obvious signs that their computer is infected. Computer users are therefore encouraged to use caution when opening email attachments, or when clicking on sketchy links. For some of the largest known botnets, some security companies offer an IP scan against known infected addresses. Otherwise, keeping your antivirus software updated and installed software patched is the best protection against infections stemming from a domain generation algorithm.