New method finds botnets that hide behind changing domains
Researchers at Texas A&M University believe they have a new way of fighting domain-fluxing botnets
By Joan Goodchild , Senior Editor
March 28, 2011 — CSO —
Researchers at Texas A&M University say they have a new method for finding domain-fluxing botnets, which evade detection by constantly alternating domain names.
Dr. Narasimha Reddy, who works in the University's Department of Electrical and Computer Engineering, collaborated with student Sandeep Yadav and Ashwath Reddy, as well as with Supranamaya "Soups" Ranjan with Narus Inc., to develop the new method. It can be used to detect botnets like Conficker, Kraken and Torpig, which use the so-called DNS domain-fluxing for their command and control infrastructure.
Domain-fluxing bots generate random domain names; a bot queries a series of domain names, but the domain owner registers just one. As an example, the research points to Conficker-A, which generated 250 domains every three hours. In order to make it harder for a security vendor to pre-register the domain names, the next version, Conficker-C, increased the number of randomly generated domain names per bot to 50,000.
MORE ON THE BOTNET WAR
The research also finds Torpig bots "employ an interesting trick where the seed for the random string generator is based on one of the most popular trending topics in Twitter." Kraken, according to the report, employs a much more sophisticated random word generator and constructs English-language alike words with properly matched vowels and consonants. The randomly generated word is combined with a suffix chosen randomly from a pool of common English nouns, verbs, adjective and adverb suffixes, said researchers.
Current detection methods require botnet researchers to reverse-engineer the bot malware and figure out the domains that are generated on a regular basis in order to get to the C&C. Security vendors have to pre-register all the domains that a bot queries every day, even before the botnet owner registers them. It's a time-intensive process, researchers argue in their report.
Texas A&M officials say Reddy's method looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it's malicious or legitimate. This allows them to spot botnets' algorithmically generated domain names.
"Our method analyzes only DNS traffic and hence is easily scalable to large networks," said Reddy. "It can detect previously unknown botnets by analyzing a small fraction of the network traffic."
Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique, according to Reddy. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy's new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second botnet generates names using a concatenation of two dictionary words.
CERT, a nationwide network security coordination lab based at Carnegie Mellon University, is building a tool based on Reddy's technique and plans to distribute it for public use.
Read more about data protection in CSOonline's Data Protection section.
Other stories by Joan Goodchild