DGA (Domain Generation Algorithm) - malwares

I assume you are referencing this Wikipedia article for your info. Basically, the malware does not register the domain names, it just generates a list of possible domain names. The attacker registers domain names that are "possible" outputs of the DGA.

For example, if the DGA is something like:

x = rand(10)

domain = "xyz" + x + ".com"

contact(domain)

Now the attacker registers xyz2.com, the bot has a 10% chance of generating the correct domain name to check in. Over the course of a few weeks, it is highly likely that, at some point, the infected machine will generate xyz2.com and contact the C2.

Point here is that the DGA just generates "potential" domain names, one of which will likley (at some point) connect to the attackers C2.

Does Conficker really needs 50000 workings domains in order to contact the C&C server? Certainly not, a handful is sufficient. Conficker will try 50000 domains knowing that, somewhere in this list, it will find a responsive C&C server.

On the other side can the authorities buy 50000 domains per day to block Conficker? Certainly not, here it would be too expensive.

Can the authorities block 50000 domains per day? Here too this is not an option since in this list there may be names already used for legitimate purposes.

50000 is just a value designed to create an asymmetry in the effort needed by the attackers and the defenders in favor of the attacker:

• The attackers just have to create an handful domains to get their job done,
• The defenders have to scan dozen of thousands possible domains in order to find the malicious ones.