Command and Control Machines
Botnets need to be delivered commands to do their owner’s bidding. The traditional way to pass commands to an infected machine is from a command and control (C&C) server. However this introduces a single point of failure, so if an infected machine has no other means of contacting its C&C server, it can cycle through the DGA created domains to try to regain contact. In essence it is a form of camouflage or obfuscation.
Bot herders are continuously coming up with a number of mechanisms to hide the location of the C&C servers, thus making the chain of command even more elusive. Spamhaus Technology DNS Firewall Threatfeeds (formerly named RPZ) use domain and IP reputation data from Spamhaus’ real-time threat intelligence data to protect users’ computers from connecting to harmful sites as soon as the domains are registered and before they can compromise users’ computers and harm your network.
Spamhaus adds DGA Domains to its DNS Firewall Threatfeeds (formerly RPZ)
Last Thursday Spamhaus Technology added DGA domains to the Spamhaus Technology Botnet C&C RPZ. This resulted in the RPZ increasing in size from around 500 entries to 1.2 million.
The DGA domain data is updated twice a day. Currently it contains DGA domains for a 7-day period: the current day and three days either side. Users of the Botnet C&C RPZ should expect a change of circa 15-30% in the DGA data every 24 hours. Given the nature of the DGA domains’ dataset customers should expect some churn as each new days’ worth of data is added and the earliest day’s worth of data is removed.
Whilst the increase in the RPZ entries would not have caused any issues for users of the Botnet C&C RPZ, we acknowledge that customers would prefer prior warning when planned alterations result in a large change to one of the zones. This has been noted and going forward we aim to now announce such changes at least 48 hours prior to initiating them. We apologise for any concerns and appreciate our customers’ feedback.