Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Development
    • Networking

    Domain-Flux Botnets Leave a Detectable Algorithm Trail: Research Paper

    By
    Fahmida Y. Rashid
    -
    March 31, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Security researchers have developed a new method for finding botnets that constantly change domain names to avoid detection.

      The technique developed by a team of security researchers from Texas A&M University and security startup Narus looked at the pattern and distribution of letters in a domain name, according to the research paper available online. This process allowed researchers to identify algorithmetically generated names, which are potentially malicious, from other domains, according to the paper.

      The method analyzes DNS traffic to detect if and when domain names are being generated algorithmically, the researchers wrote. Since technique can detect previously unknown botnets by analyzing a small fraction of the network traffic with “minimal false positives,” it is easily scalable to large networks, according to the paper.

      Researchers used network traffic collected from more than 100 router links at a Tier-1 Internet service provider in Asia, containing about 270,000 DNS name server replies. The team also analyzed a “reverse DNS crawl” of the entire IPv4 address space to obtain a list of domain names and corresponding IP addresses as well as a list of domain names that have ever been generated by Conficker, Torpig and Kraken, the paper said.

      At the moment, botnet researchers have to reverse-engineer the bot malware to figure out the domain names that were generated before they can trace the path back to the C&C servers providing instructions to the botnet. The reverse-engineering gives vendors the exact algorithm being used to generate the names. This would be useful to the security team until the botnet owner patches his bots with a new algorithm, the researchers wrote.

      Domain-fluxing bots generate random domain names in regular intervals in large numbers to hide their tracks. Conficker, Kraken and Torpig all use DNS domain-fluxing to hide their command and control servers. The economics work out in the botnet owner’s favor, as they have to register one or a few domains, but the security vendor has to register them all, just in case.

      This was both resource- and time-intensive, the researchers argued.

      The Conficker-A variant generated 250 domains every three hours using the current date and time as the seed value in order to make it difficult for vendors to pre-register domain names. The Conficker-C version randomly generated 50,000 domain names per bot. The seeds ensured all the bots generated the same domain names every day, according to researchers.

      Torpig bots generated new domain names, a random string generator and a seed based on the most popular trending topic on Twitter, the researchers wrote in the report. Kraken has a much more sophisticated random word generator and constructs words that sound like English, combined with a string randomly selected from a pool of common English nouns, verbs, and adjective and adverb suffixes, such as -able, -dom, -hood, -ment, -ship or -ly, according to the report.

      Another botnet anti-detection technique is IP fast-flux, a round-robin method where malicious Websites are constantly rotated across several IP addresses and change their DNS records. The new method allegedly uncovered two new botnets this way, according to the paper. One randomly generated 57-character-long domain names, and the other randomly concatenated two dictionary words to generate new names, the researchers wrote.

      The paper is available from a personal site belonging to Supranamaya Ranjan, a Narus research scientist who worked with the Texas A&M team including Narasimha Reddy, who works in the University’s Department of Electrical and Computer Engineering, and students Sandeep Yadav and Ashwath Redd.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×