A Domain Generation Algorithm (DGA) is a program that is designed to generate domain names in a particular fashion. Attackers developed DGAs so that malware can quickly generate a list of domains that it can use for the sites that give it instructions and receive information from the malware (usually referred to as “command and control” or C2).
Attackers use DGA so that they can quickly switch the domains that they’re using for the malware attacks. Attackers do this because security software and vendors act quickly to block and take down malicious domains that malware uses. Attackers developed DGA specifically to counter these actions.
Taking down sites with malware using a DGA can be a challenge as defenders have to go through the process of working with ISPs to take down these malicious domains one by one. Many DGAs are built to use hundreds or even thousands of domains. And these domains are often up for only limited periods of time. In this environment blocking and taking down DGA-related domains quickly becomes a game of “whack a mole” that is sometimes futile.
Because DGA is a technique the fuels malware attacks, the things you can do to help prevent malware can also help prevent DGA-fueled malware attacks:
- Don’t open attachments that are unexpected or from unknown sources.
- Don’t enable macros on attached documents without confirming that you can do so safely from the sender and your IT department.
- Run security software that can help prevent malware attacks.