Researchers from Narus and Texas A&M University have worked together to develop techniques for detecting domain-fluxing botnets, the tricky machines that spew out domain names to avoid detection.
Security
researchers have developed a new method for finding botnets that constantly
change domain names to avoid detection.
The
technique developed by a team of security researchers from Texas A&M
University and security startup Narus looked at the pattern and distribution of
letters in a domain name, according to the research
paper available online. This process allowed researchers to identify
algorithmetically generated names, which are potentially malicious, from other
domains, according to the paper.
The
method analyzes DNS traffic to detect if and when domain names are being
generated algorithmically, the researchers wrote. Since technique can detect
previously unknown botnets by analyzing a small fraction of the network traffic
with "minimal false positives," it is easily scalable to large networks,
according to the paper.
Researchers
used network traffic collected from more than 100 router links at a Tier-1 Internet
service provider in Asia, containing about 270,000 DNS
name server replies. The team also analyzed a "reverse DNS crawl" of
the entire IPv4 address space to obtain a list of domain names and
corresponding IP addresses as well as a list of domain names that have ever
been generated by Conficker, Torpig and Kraken, the paper said.
At
the moment, botnet researchers have to reverse-engineer the bot malware to
figure out the domain names that were generated before they can trace the path
back to the C&C servers providing instructions to the botnet. The
reverse-engineering gives vendors the exact algorithm being used to generate the
names. This would be useful to the security team until the botnet owner patches
his bots with a new algorithm, the researchers wrote.
Domain-fluxing
bots generate random domain names in regular intervals in large numbers to hide
their tracks. Conficker, Kraken and Torpig all use DNS domain-fluxing to hide
their command and control servers. The economics work out in the botnet owner's
favor, as they have to register one or a few domains, but the security vendor
has to register them all, just in case.
This
was both resource- and time-intensive, the researchers argued.
The
Conficker-A variant generated 250 domains every three hours using the current
date and time as the seed value in order to make it difficult for vendors to
pre-register domain names. The Conficker-C version randomly generated 50,000
domain names per bot. The seeds ensured all the bots generated the same domain
names every day, according to researchers.
Torpig
bots generated new domain names, a random string generator and a seed based on
the most popular trending topic on Twitter, the researchers wrote in the
report. Kraken has a much more sophisticated random word generator and
constructs words that sound like English, combined with a string randomly
selected from a pool of common English nouns, verbs, and adjective and adverb
suffixes, such as -able, -dom, -hood, -ment, -ship or -ly, according to the
report.
Another
botnet anti-detection technique is IP fast-flux, a round-robin method where
malicious Websites are constantly rotated across several IP addresses and
change their DNS records. The new method allegedly uncovered two new botnets
this way, according to the paper. One randomly generated 57-character-long
domain names, and the other randomly concatenated two dictionary words to
generate new names, the researchers wrote.
The
paper is available from a personal site belonging to Supranamaya Ranjan, a
Narus research scientist who worked with the Texas A&M team including
Narasimha Reddy, who works in the University's Department of Electrical and
Computer Engineering, and students Sandeep Yadav and Ashwath Redd.
Email
Print
