Herald: So, who here saw the talk about politician-speak this morning? Nobody? Okay. Yeah it was in German, so... maybe. I wanted to respond something to the people who did, but... yeah, apparently, now, talking gibberish in a human-understable language is, you didn't hear about that today, but talking gibberish in electronic languages, you are probably familiar with that, so Ben here is a security researcher with Checkpoint, and he will talk to you today about DGAs, so, algorithms that produce gibberish, but they got a bit smarter in the past and he will tell you something about how to detect gibberish which somebody, some people might want to have for politicians too, but you have to use reason for that, and he will give you an idea about how you can do that for DNS. Okay, give a warm round of applause for Ben here! And, let's being. Herzog: Is this thing on? It is. Okay, first things first, if this slide makes any amount of sense to you, then I'm sorry to have to tell you this, but you're probably a robot. So what are the good news, that's the bad news, the good news is you've come to the right lecture, because once this is done you'll be able to detect gibberish just like the rest of the humans, you'll be able to blend in and no one will know a thing. So first I'm going to refresh your memory a bit about what DGA is, and what the problem is that it was trying to solve. Let's look at a regular scenario, a basic scenario where an infected system has been infected with malware and it wants to converse with its command and control server, that's what malware does nowadays, in the past it may have just done its own thing without receiving any commands, but today, malware usually waits for commands and operates based on commands that it receives. So, in this basic usual scenario, the malware came with a built-in DNS address hardcoded, and the malware queries the DNS server with this hardcoded address and receives the response, this is the IP address of the C&C server, now the infected system contacts the address of rest of the Internet and the C&C server, the C&C server very excitedly responds "yes, I have another machine under my sway" and the connection is complete, now the infected system and the C&C server can converse. So, all of this is fine and good, until one day, the powers that be, the, maybe ???, I don't know, they find out about all of this and they talk to the people in charge of the DNS server, that's probably ???, not necessarily, and they tell them, well, there's been this shady activity going on, and it's making use of your DNS servers, would you kindly make sure that it stops, and the people in charge of the DNS server do not want any trouble, so they remove the record pointing to the address of the C&C server, and now the infected system, just as before, makes the DNS query to the DNS server, and they ask, okay, where is the IP address of my C&C server? and the DNS server basically responds, go fish. Now, the C&C server just stands there, fully functional, waiting to send commands, and it stands there, and it waits, and it waits, and it waits, and that's not very good for the campaign.