Malware developers are constantly shifting the goal posts in order to evade detection mechanisms. Part of this involves changing the domain names used to communicate with command and control servers and spread infections.
The latest trick identified by security company Seculert is the increasing use of Domain Generating Algorithms (DGAs).
The latest DGAs like that used by the Matsnu Trojan can create domains that are comprised of a noun, verb, noun, verb combination until the domain is 24 characters long. This attempts to bypass machine learning phonetic algorithms that are looking for domain names with no meaning.
The latest variant of Matsnu with the new DGA was first seen in June 2014 and has been targeting mainly German speakers, with 89 percent of infected users being located in the DE domain region. It's thought to spread mainly via spam emails relating to shopping sites.
Seculert's research has also uncovered that Matsnu can have additional capabilities added to it through an extension, enabling it to think on its feet, and adjust according to the obstacles in its way.
In addition it lets the user set the number of domains they want to generate daily as well as how many days in the past to reuse previously generated domains. It monitors the registry to ensure its run key is still present and renews it if it's been removed. Matsnu contains its own built in Uninstall function too allowing it to remove itself from systems.
There's more information about Matsnu and DGA malware on the Seculert blog.
Photo Credit: Balefire / Shutterstock