Avalanche / domains / registrars & registries

bzs at theworld.com bzs at theworld.com
Fri Dec 2 20:21:39 UTC 2016


FWIW one of the people involved in the takedown has reported that most
of the 800K domain names were DGA.

Here was my nutshell overview summary synopsis posted elsewhere:

DGA = Domain Generation Algorithm (term in wikipedia.)

So an infected bot and a C&C (command and control computer) have an
algorithm -- on the bot it's in the virus -- to generate seemingly
random domains using seeds such as the current date. Usually more
sophisticated but that's the idea, the goal is that both ends generate
the same seemingly random domain.

So they'll each generate for example xerv1dvm and attach it to a TLD,
it doesn't matter what, xerv1dvm.foo, or it could be .com or whatever.

They resolve it because they also infect the host's DNS resolver
software (or just inject their own, same thing) so it queries a
non-standard root server controlled by the attacker, could just be the
C&C computer, which will return an IP address for the infected bot to
use.

This set up allows these systems to change these parameters as often
as they like, every minute or less if needed tho that's probably not
necessary, every hour might do or even just once a day. Whatever it
takes to stay one step ahead of anyone seeking to interfere with them
such as law enforcement.

TL;DR: There needn't be any (accredited) registrars/registries involved.

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*


More information about the NANOG mailing list