Why many DGA spyware domain has same threat ID 109000001? When are these threat IDs starting with 10900xxxx?

Why many DGA spyware domain has same threat ID 109000001? When are these threat IDs starting with 10900xxxx?

28967
Created On 04/15/20 17:47 PM - Last Modified 04/22/24 20:24 PM


Question


  • What threat IDs start with 10900xxxx, For example, 109000001, 109001001, 109001002, 109001003, and more?
  • Why do multiple spyware domains have the same threat ID, 109000001 or 109001001?

Environment


  • PAN-OS 9.0 or higher 
  • Threat Prevention license
  • DNS Security license 

Answer


  • Question: Why do multiple spyware domains have the same threat ID? For example, many DGA spyware domains matched with 109000001? 
  • Answer: Domain generation algorithms (DGAs) are used by attackers to generate a more significant number of domains to hide the active command and control(C2) server within a large number of possible suspects. Most domains created by the DGA-based algorithm do not resolve to a valid IP address or host. Since such domains are not valid, short-lived, and massive in numbers, it will be a waste of resources to provide a unique threat ID; however, it should identify by threat ID. For this reason, a single threat TID 109000001 indicates the spyware DGA domain. 

 

  • Question: What are these DNS security threat IDs that start with 10900xxxx, For example, 109000001, 109001001, 109001002, 109001003, and more?
  • Answer: The DNS security subscription introduced three new spyware signatures to provide real-time DNS protection. 
    • Domain generation algorithms (DGAs) for threat ID 109000001
      •  DGAs use algorithms to generate fake domain names to flood the detection system and hide an absolute malware command and control server. All these domain servers as destroyed to fill up the malware database so real C2 servers can be hidden.
    • DNS Tunneling detection for threat ID 109001001
      • Attackers use DNS tunneling to encode data of non-DNS programs and protocols within DNS queries and responses to smuggling data and files.  An attacker can use tunneling for an open back channel or remotely access the file.
    • Real-Time DNS Detection: DNS Tunneling 109001002
      • Signature delivered from the cloud.
      • C2: 109000002
      • Real-Time DNS Detection: DNS Infiltration: 109001003
      •  Real-Time DNS Detection: NXNSAttack: 109010007
      • Real-Time DNS Detection: DNS Rebinding: 109010009
      • Grayware: 109002001,109002002,109010002, 109010005, 109010006
      • Grayware_dangling_domain: 109010008
      • Malware: 109002001
      • Real-Time DNS Detection: Compromised DNS: 109003001
      • Malware-ransomware: 109003002
      • Phishing: 109010001
      • Parked: 109010003
      • Proxy Avoidance and Anonymizers: 109010004
      • Dynamic DNS: 109020002
      • Newly Registered Domain: 109020001
      • Adtracking : 109004000
      •  Real-Time DNS Detection: Wildcard Abuse: 109002001
      • Real-Time DNS Detection: Strategically Aged: 109002002

Additional Information


Question: For the DGA domain, threat log and traffic logs doesn't have one to one mapping. For example, traffic logs show 20 entries for DNS queries, but threat logs only have 5 or 6 entries for TID 10900001. 
Answer: Threat logs are aggregated every five milliseconds. That means a single threat entry (TID 109000001) is generated for every 5 milliseconds for any number of DGA detection. 

For Unique Threat ID's that map to the different DNS Security Categories, please see here.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPd1CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language