Domain-Flux Botnets Leave a Detectable Algorithm Trail: Research Paper

Researchers from Narus and Texas A&M University have worked together to develop techniques for detecting domain-fluxing botnets, the tricky machines that spew out domain names to avoid detection.

Security researchers have developed a new method for finding botnets that constantly change domain names to avoid detection.

The technique developed by a team of security researchers from Texas A&M University and security startup Narus looked at the pattern and distribution of letters in a domain name, according to the research paper available online. This process allowed researchers to identify algorithmetically generated names, which are potentially malicious, from other domains, according to the paper.

The method analyzes DNS traffic to detect if and when domain names are being generated algorithmically, the researchers wrote. Since technique can detect previously unknown botnets by analyzing a small fraction of the network traffic with "minimal false positives," it is easily scalable to large networks, according to the paper.

Researchers used network traffic collected from more than 100 router links at a Tier-1 Internet service provider in Asia, containing about 270,000 DNS name server replies. The team also analyzed a "reverse DNS crawl" of the entire IPv4 address space to obtain a list of domain names and corresponding IP addresses as well as a list of domain names that have ever been generated by Conficker, Torpig and Kraken, the paper said.

At the moment, botnet researchers have to reverse-engineer the bot malware to figure out the domain names that were generated before they can trace the path back to the C&C servers providing instructions to the botnet. The reverse-engineering gives vendors the exact algorithm being used to generate the names. This would be useful to the security team until the botnet owner patches his bots with a new algorithm, the researchers wrote.

Domain-fluxing bots generate random domain names in regular intervals in large numbers to hide their tracks. Conficker, Kraken and Torpig all use DNS domain-fluxing to hide their command and control servers. The economics work out in the botnet owner's favor, as they have to register one or a few domains, but the security vendor has to register them all, just in case.

This was both resource- and time-intensive, the researchers argued.

The Conficker-A variant generated 250 domains every three hours using the current date and time as the seed value in order to make it difficult for vendors to pre-register domain names. The Conficker-C version randomly generated 50,000 domain names per bot. The seeds ensured all the bots generated the same domain names every day, according to researchers.

Torpig bots generated new domain names, a random string generator and a seed based on the most popular trending topic on Twitter, the researchers wrote in the report. Kraken has a much more sophisticated random word generator and constructs words that sound like English, combined with a string randomly selected from a pool of common English nouns, verbs, and adjective and adverb suffixes, such as -able, -dom, -hood, -ment, -ship or -ly, according to the report.

Another botnet anti-detection technique is IP fast-flux, a round-robin method where malicious Websites are constantly rotated across several IP addresses and change their DNS records. The new method allegedly uncovered two new botnets this way, according to the paper. One randomly generated 57-character-long domain names, and the other randomly concatenated two dictionary words to generate new names, the researchers wrote.

The paper is available from a personal site belonging to Supranamaya Ranjan, a Narus research scientist who worked with the Texas A&M team including Narasimha Reddy, who works in the University's Department of Electrical and Computer Engineering, and students Sandeep Yadav and Ashwath Redd.