DGA Domains with SSL Certificates? Why?
PUBLISHED IN
CERT/CC VulnerabilitiesCertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream, and I found some interesting phenomena.
Looking at the between the days of July 1, 2018 and September 30, 2018, I found 698 DGA domains that had certificates. There were 10 DGA campaigns represented and the distribution looks like:
| DGA | Count |
| suppobox | 514 |
| virut | 67 |
| simda | 28 |
| nymaim | 27 |
| pykspa | 19 |
| pizd | 14 |
| banjori | 14 |
| matsu | 13 |
| proslikefan | 1 |
| necurs | 1 |
Now, if we consider the delta between the first time the domain showed up in CertStream versus the day it was an active DGA domain:
| DGA | Total Domains | Average Number of Days Before Active DGA | Average Number of Days After Active DGA |
| suppobox | 514 | 130.834 | 25.8 |
| virut | 67 | 101.711 | 21.2 |
| simda | 28 | 227.857 | 0 |
| nymaim | 27 | 112.92 | 38 |
| pykspa | 19 | 77.786 | 11.6 |
| pizd | 14 | 223.077 | 9 |
| banjori | 14 | 234.5 | 0 |
| matsnu | 13 | 119.083 | 10 |
| proslikefan | 1 | 110 | 0 |
| necurs | 1 | 186 | 0 |
This doesn't mean much without the number of domains that showed up before or after, so that's summarized here:
| DGA | Total Domains | Number of Domains Before Active DGA | Number of Domains After Active DGA |
| suppobox | 514 | 494 | 20 |
| virut | 67 | 52 | 15 |
| simda | 28 | 28 | 1 |
| nymaim | 27 | 25 | 2 |
| pykspa | 19 | 14 | 5 |
| pizd | 14 | 13 | 1 |
| banjori | 14 | 14 | 1 |
| matsnu | 13 | 12 | 1 |
| proslikefan | 1 | 1 | 1 |
| necurs | 1 | 1 | 1 |
Of the 514 suppobox domains, 494 had certificates before they showed up as DGA domains. Is this worrisome?
To investigate that, I looked at the websites for all of the domains using wget. 111 of the domains didn't have functioning websites, 33 of the domains had 'for sale' websites, and the rest were functioning.
| DGA | Total Domains | Number of Domains with Active Websites |
| suppobox | 514 | 406 |
| virut | 67 | 56 |
| simba | 28 | 17 |
| nymaim | 27 | 23 |
| pykspa | 19 | 18 |
| pizd | 14 | 11 |
| banjori | 14 | 11 |
| matsnu | 13 | 11 |
| proslikefan | 1 | 1 |
| necurs | 1 | 0 |
These domains were pulled between July and September. The verification of the domains was made in October. It is possible that the 111 missing domains had functioning domains before the verification, we don't know.
We do know that DGA is usually used for ephemeral domains. The fact that these domains had certificates in CertStream does not change that, but it does make us wonder not only about the domains but about CertStream itself.
Are these legitimate websites or are they fronts for maliciousness? We don't know, unfortunately. The sites run the gamut from the legitimate looking:
To the pages that are missing content entirely:
Without additional information, we are unfortunately left with more questions than answers.
Written By
More By The Author
More In CERT/CC Vulnerabilities
PUBLISHED IN
CERT/CC VulnerabilitiesGet updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.
Subscribe Get our RSS feedMore In CERT/CC Vulnerabilities
Get updates on our latest work.
Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.
Subscribe Get our RSS feed