Software Engineering Institute | Carnegie Mellon University

SEI Insights

CERT/CC Blog

Vulnerability Insights

DGA Domains with SSL Certificates? Why?

Posted on by in

CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena.


Looking at the between the days of July 1, 2018 and September 30, 2018, I found 698 DGA domains that had certificates. There were 10 DGA campaigns represented and the distribution looks like:

DGACount
suppobox 514
virut 67
simda 28
nymaim 27
pykspa 19
pizd 14
banjori 14
matsu 13
proslikefan 1
necurs 1

Now, if we consider the delta between the first time the domain showed up in CertStream versus the day it was an active DGA domain:

DGATotal DomainsAverage Number of Days Before Active DGAAverage Number of Days After Active DGA
suppobox 514 130.834 25.8
virut 67 101.711 21.2
simda 28 227.857 0
nymaim 27 112.92 38
pykspa 19 77.786 11.6
pizd 14 223.077 9
banjori 14 234.5 0
matsnu 13 119.083 10
proslikefan 1 110 0
necurs 1 186 0


This doesn't mean much without the number of domains that showed up before or after, so that's summarized here:

DGATotal DomainsNumber of Domains Before Active DGANumber of Domains After Active DGA
suppobox 514 494 20
virut 67 52 15
simda 28 28 1
nymaim 27 25 2
pykspa 19 14 5
pizd 14 13 1
banjori 14 14 1
matsnu 13 12 1
proslikefan 1 1 1
necurs 1 1 1

Of the 514 suppobox domains, 494 had certificates before they showed up as DGA domains. Is this worrisome?

To investigate that, I looked at the websites for all of the domains using wget. 111 of the domains didn't have functioning websites, 33 of the domains had 'for sale' websites, and the rest were functioning.

DGATotal DomainsNumber of Domains with Active Websites
suppobox 514 406
virut 67 56
simba 28 17
nymaim 27 23
pykspa 19 18
pizd 14 11
banjori 14 11
matsnu 13 11
proslikefan 1 1
necurs 1 0

These domains were pulled between July and September. The verification of the domains was made in October. It is possible that the 111 missing domains had functioning domains before the verification, we don't know.

We do know that DGA is usually used for ephemeral domains. The fact that these domains had certificates in CertStream does not change that, but it does make us wonder not only about the domains but about CertStream itself.

Are these legitimate websites or are they fronts for maliciousness? We don't know, unfortunately. The sites run the gamut from the legitimate looking:

facerise.net.png

To the pages that are missing content entirely:

sweetmaster.net.png

Without additional information, we are unfortunately left with more questions than answers.

About the Author

Leigh Metcalf

Contact Leigh Metcalf
Visit the SEI Digital Library for other publications by Leigh
View other blog posts by Leigh Metcalf