More than 1.000.000 new users from Brazil today and growing. If you've just joined, check this out: https://t.co/x1haKyjvzQ— Telegram Messenger (@telegram) December 17, 2015
Well, this is similar to how ISPs block botnets. Botnets, the most common form of malware these days, have a command-channel back to the hacker that controls all the bots in the network. ISPs try to block the IP address and/or DNS name in order to block access to the botnet.
Botnets use two ways around this. One way is "fast-flux DNS", where something like "www.whatsapp.com" changes its IP address every few minutes. This produces too many IP addresses for ISPs to block. WhatsApp can keep spinning up new cloud instances at places like Amazon Web Services or Rackspace faster than ISPs can play whack-a-mole.
But ISPs can also block the domain name itself, instead of the IP address. Therefore, an app can also choose to use a "domain generation algorithm" or "domain flux". This generates a new domain name based on the current time, which changes several times per day. Names will be something like "8sh83qns3azz4d.com", using a predictable, but "pseudo-random" algorithm. This would generate too many names for ISPs to block, assume the algorithm was public. However, in practice, in situations like this, the ISPs wouldn't know the algorithm, so therefore, wouldn't know the list of names they needed to block.
The cool thing is that companies like WhatsApp can deploy such measures in their software really easily. but not tell anybody. The first time a government like Brazil tried to punish them, the ISPs would mysteriously fail at blocking the app. It would take days of research for anybody to figure out why.
This highlights two important points.
The first is that "governments", not just "hackers", need to be part of your threat model when developing apps/services. The second is that evil "malware" or "viruses" is often indistinguishable from good software. That's what things like the Wassenaar Arms Control export restrictions are doomed to fail, because it's impossible for regulations to clarify the difference.
Note: Apparently the court order specified 'whatsapp.com', 'whatsapp.net', all subdomains, and IP addresses used by those domains.