DNS Calculation

Information

• Name: DNS Calculation

• ID: T1568.003

• Tactics:

• Technique:

Introduction

DNS Calculation (T1568.003) is a sub-technique within the MITRE ATT&CK framework, categorized under the broader technique of Dynamic Resolution (T1568). Attackers leverage DNS Calculation to dynamically generate domain names algorithmically, enabling malware or command-and-control (C2) servers to evade detection and maintain persistent communication. This technique is commonly associated with Domain Generation Algorithms (DGAs), which periodically create new domain names based on predefined rules or algorithms, complicating detection and mitigation efforts.

Deep Dive Into Technique

DNS Calculation involves the use of Domain Generation Algorithms (DGAs) to periodically generate domain names that malware uses for command-and-control (C2) communication. Attackers implement DGAs to:

• Dynamically calculate domain names based on a predetermined algorithm or seed.

• Generate multiple domain names daily, weekly, or monthly, making it challenging for defenders to block or sinkhole malicious domains.

• Ensure resilience and redundancy by continuously rotating domains, mitigating the risk of losing access if a domain is blocked or taken down.

Technical mechanisms and execution methods typically include:

• Seed-based algorithms: Malware uses a seed (such as date, time, or other predictable inputs) to generate domain names deterministically.

• Pseudo-random domain generation: Algorithms produce seemingly random domain names, making them difficult to predict without reverse-engineering malware.

• Malware-embedded algorithms: Malware binaries contain embedded instructions for domain generation, allowing attackers to anticipate and register domains in advance.

• DNS queries: Malware continuously queries multiple generated domains until it finds an active C2 server controlled by the attacker.

Real-world procedures attackers follow include:

1. Infecting victim systems with malware containing a DGA.

2. Periodically generating new domains for communication.

3. Registering a subset of domains in advance to enable reliable C2 communication.

4. Rotating domains frequently to evade detection and blocking.

When this Technique is Usually Used

DNS Calculation is typically employed in various stages and scenarios of cyber-attacks, including:

• Initial Access and Persistence:

  • Malware infections that need resilient and persistent communication channels.

  • Botnets requiring continuous communication for updates and commands.

• Command-and-Control (C2) Communications:

  • Malware communicating with attacker-controlled infrastructure while avoiding static detection methods.

  • Advanced Persistent Threat (APT) groups maintaining covert and redundant communication channels.

• Evasion and Defense Bypassing:

  • Attackers attempting to bypass domain blocking, blacklisting, and detection mechanisms.

  • Threat actors avoiding sinkholing efforts by defenders.

• Long-term Operations:

  • Campaigns requiring sustained, reliable communication over extended periods.

  • Botnets and malware families that operate over months or years, continuously rotating domains.

How this Technique is Usually Detected

Detection methods for DNS Calculation typically involve a combination of network monitoring, behavioral analysis, and threat intelligence:

• Network Traffic Analysis:

  • Identifying abnormal DNS query patterns, such as large numbers of failed DNS lookups (NXDOMAIN responses).

  • Detecting periodic bursts of DNS queries to algorithmically generated, random-looking domains.

• Behavioral Detection:

  • Identifying endpoints performing DNS lookups at regular intervals or predictable patterns.

  • Machine learning-based anomaly detection to flag unusual DNS query behaviors.

• Threat Intelligence and Domain Reputation:

  • Leveraging threat intelligence feeds and DGA domain lists to identify known malicious domains.

  • Cross-referencing queried domains against known malware-associated DGAs.

• DNS Sinkholing and Monitoring:

  • Deploying DNS sinkholes to intercept and analyze traffic targeting algorithmically generated domains.

  • Monitoring DNS logs for unusual domain name patterns and query frequencies.

Indicators of Compromise (IoCs) associated with DNS Calculation include:

• High volume of DNS queries resulting in NXDOMAIN responses.

• Frequent querying of seemingly random domain names.

• Regular interval-based DNS queries from endpoints.

• Presence of known DGA patterns in DNS logs.

Why it is Important to Detect This Technique

Early detection of DNS Calculation is critical due to its significant impact on systems and networks:

• Persistent C2 Channels:

  • Enables attackers to maintain resilient and persistent communication channels with infected systems.

  • Makes remediation efforts significantly more challenging due to continuous domain rotation.

• Evasion of Traditional Defenses:

  • DGAs circumvent traditional domain blacklisting methods, reducing the effectiveness of static security controls.

  • Complicates network defense and incident response processes.

• Extended Malware Lifespan:

  • Malware leveraging DGAs can remain active for extended periods, increasing the risk of data exfiltration, espionage, or disruption.

  • Allows attackers to maintain long-term persistence and operational flexibility.

• Increased Risk to Sensitive Data:

  • Persistent, undetected malware channels increase the likelihood of successful data exfiltration and lateral movement.

  • Potential for significant financial, operational, and reputational damage to organizations.

Early detection and mitigation of DNS Calculation reduce the attacker's ability to maintain persistence, limit the scope of compromise, and significantly decrease potential impact.

Examples

Real-world examples of DNS Calculation usage include:

• Conficker Worm:

  • Utilized a sophisticated DGA to generate thousands of domain names daily.

  • Allowed attackers to maintain persistent C2 communication and evade sinkholing efforts.

  • Impact: Rapid spread across millions of systems globally, causing significant disruption and remediation challenges.

• Gameover Zeus (GOZ) Botnet:

  • Employed a DGA for robust and resilient command-and-control communication.

  • Continuously generated new domains, complicating detection and takedown efforts.

  • Impact: Enabled theft of millions of dollars through financial fraud and credential theft.

• Cryptolocker Ransomware:

  • Used DGAs to communicate with C2 servers, ensuring persistent access and evasion of security measures.

  • Periodically generated random domains for communication, complicating defense efforts.

  • Impact: Significant financial losses due to ransom payments and prolonged disruption of victim operations.

• Necurs Botnet:

  • Leveraged DGAs to maintain resilient C2 communication channels.

  • Continuously rotated domains, making it difficult for defenders to block or disrupt operations.

  • Impact: Enabled widespread spam campaigns, malware distribution, and financial fraud operations.

These examples demonstrate the widespread use, effectiveness, and potential impact of DNS Calculation as a sub-technique, underscoring the importance of robust detection and mitigation strategies.