An increased attempt is being mounted by law enforcement agencies all over the world against cyber criminals, but they do’t appear to get quite far. Two recent reports describe why: Gangs are using technology to consistently and quickly alter Internet addresses.

Security reporter Brian Krebbs writes now of a botnet of hacked computers all over the world that’s effectively a criminal cloud hosting environment for a broad variety of action including hosting purloined credit card stores.

Tipped away by security seller RiskAnalytics, the system shifts the Internet address, or domain name server (DNS) of each Web site approximately every three minutes. In an evaluation Krebbs did of one website, in a 12-hour span the DNS of one website spat out more than 1,000 unique addresses.

Krebbs quotes a RiskAnalytics official estimates there are over 2,000 infected endpoints mainly that are, , behind the botnet. It believes, he said, “like a black market variation of Amazon Web Services.”
Gameover Zeus, for instance, created 1,000 domain names every day, or 365,000, says the report year in one. Trying to block all these domain names is difficult for firewalls, network-filtering products and other security software.

DGAs “are a a communicating system that is near perfect,” says the firm. “They’re simple to implement, hard to obstruct, virtually impossible to call in advance, if the formerly employed algorithm becomes understood and can be quickly changed.”

Originators use several techniques, the firm says: Another created domain names by randomly selecting two English words from a hardcoded list in the malware and linking them together under the .net top-level domain (by way of example, theirjuly.net).

The words in many cases are broken, changed and padded with arbitrary characters, substantially raising the amount of potential combinations and making detection considerably more difficult. The well known Angler use a DGA is additionally used by kit.

By going after the registrars law enforcement and government agencies have attempted to take control over top level domains at the source, the report notes, but occasionally that does’t work.

Rather than looking for each DGA version individually. Cybereason says security professionals and sellers should search for behaviours connected with DGAs. “Only finding a a procedure is incriminated by a DGA as malicious since no valid procedure will use this type of technique,” says the firm.