Definition
A Domain Generation Algorithm (DGA) is a technique used by malware to periodically generate a large number of domain names that can serve as Command and Control (C2) rendezvous points. Instead of hardcoding a single domain (which can be easily blocked), the malware generates 1,000 domains a day, but only registers one.
Purpose and Core Idea
The goal is resilience. If security researchers block one domain, the malware automatically shifts to the next one in the sequence. To stop the botnet, defenders must predict the domains the malware will generate in the future.
Mini Case Study: Conficker
Conficker (2008) is the classic example of DGA at scale.
- The Mechanism: The worm generated 50,000 pseudo-random domain names every day (e.g.,
qweqwe.com,asdasd.net) based on the system date. - The Defense: A global coalition of security researchers had to reverse engineer the algorithm. They pre-calculated the domains Conficker would generate for the next several months and registered them (sinkholing) before the attackers could, effectively cutting off the botnet's communication.
Usage in Real CTI Workflows Detection of DGAs relies on statistical analysis (entropy). Legitimate domains like google.com have low entropy. DGA domains like xkvz-92-bq.com have high randomness. CTI analysts use Passive DNS data to identify these high-entropy clusters and block them proactively.
Relation to Other CTI Frameworks DGA is a technique under "Dynamic Resolution" (T1568) in MITRE ATT&CK and serves to maintain the "Command and Control" phase of the Cyber Kill Chain.