Open SESAME: Fighting Botnets with Seed Reconstructions of Domain Generation Algorithms

TL;DR

SESAME is a system that automatically reconstructs seeds of Domain Generation Algorithms (DGAs) from observed domain names, enabling better detection and analysis of botnet communication without manual reverse engineering.

Contribution

It introduces the first automatic seed reconstruction module for DGAs, combining database and machine learning approaches to identify and analyze new and known DGAs from domain data.

Findings

Identified 17 DGAs from DNS data, including 4 previously unknown.

Demonstrated effectiveness of SESAME on 20.8 GB of DNS lookups.

Enabled automatic classification and seed reconstruction of DGAs.

Abstract

An important aspect of many botnets is their capability to generate pseudorandom domain names using Domain Generation Algorithms (DGAs). A cyber criminal can register such domains to establish periodically changing rendezvous points with the bots. DGAs make use of seeds to generate sets of domains. Seeds can easily be changed in order to generate entirely new groups of domains while using the same underlying algorithm. While this requires very little manual effort for an adversary, security specialists typically have to manually reverse engineer new malware strains to reconstruct the seeds. Only when the seed and DGA are known, past and future domains can be generated, efficiently attributed, blocked, sinkholed or used for a take-down. Common counters in the literature consist of databases or Machine Learning (ML) based detectors to keep track of past and future domains of known DGAs and to identify DGA-generated domain names, respectively. However, database based approaches can not detect domains generated by new DGAs, and ML approaches can not generate future domain names. In this paper, we introduce SESAME, a system that combines the two above-mentioned approaches and contains a module for automatic Seed Reconstruction, which is, to our knowledge, the first of its kind. It is used to automatically classify domain names, rate their novelty, and determine the seeds of the underlying DGAs. SESAME consists of multiple DGA-specific Seed Reconstructors and is designed to work purely based on domain names, as they are easily obtainable from observing the network traffic. We evaluated our approach on 20.8 gigabytes of DNS-lookups. Thereby, we identified 17 DGAs, of which 4 were entirely new to us.