This filter detects an NXDOMAIN response to a DNS query for a host name that
appears to be using a generic or unknown DGA. The NXDOMAIN response means that
the
queried domain does not currently exist. This is an extremely strong indicator
that the
host sending out the DNS queries has been compromised and is attempting to contact
a
C&C server to receive further instructions.
- What It Does
- This filter is effective at detecting compromised hosts that are compromised by an unknown family of malware. It can be used to find and remediate malware infections before the host is able to find and communicate with a C&C server.
- What It Doesn't Do
- This filter will not prevent a host from becoming compromised in the first place; it is post-infection only. This detection method is not effective for catching malware that is actively in communication with a C&C server. It should also be noted that this filter only detects the DNS portion of communication with a C&C server. Other parts of the exploitation chain such as HTTP, FTP, or other protocols are out-of-scope for this filter.
- Deployment Recommendations
- This filter does not suffer from any known false positives or performance impacts and can be safely enabled by default. If you are wanting an even more conservative approach, it can be enabled with thresholding, but you should be aware that different families of malware send their DNS queries at different frequencies, so some fine-tuning may be required. This filter is most effective when deployed with Trace enabled so that you can examine the host name that was being queried and decide on further actions from there.
- Examples
- True positives:
- tvjky3xzsmbxvpqgd.com
- zbjvpmtovtusimgw.com
- mzqdx.com
- False positives:
- none