Registered DGAs : The Prolific New Menace No One Is Talking About

In short, traditional DGAs are algorithms embedded in malware to generate an arbitrary number of potential command and control (C2) domains that the malware attempts to contact, but the threat actor only registers a few of those domains.

Traditional DGAs are vulnerable to security researchers who can reverse engineer the algorithms once the malware samples become publicly available in platforms such as VirusTotal. The fact that only a few of the domains that the malware attempts to contact are actually registered leads to an unusually high number of NXDOMAIN responses that are easy to detect in DNS. By contrast, RDGAS are private algorithms that threat actors employ to generate an arbitrary number of domains that they will register and use. As such, security researchers can only infer how an RDGA’s algorithm works based on large-scale analysis of registered domains, and since the domains are all registered, they don’t produce the same distinctive pattern of NXDOMAIN responses as a traditional DGA.

In the same way that the concept of dictionary DGAS (DDGAS) was introduced to distinguish algorithms that generate domains using real words rather than random characters, we’re using the concept of RDGAS to distinguish algorithms that threat actors use to privately register large numbers of domains from algorithms embedded in publicly-available malware to make their C2 communications more difficult to disrupt.