DNS agility leads to botnet detection

Online criminals have evolved their tactics to harden their botnets against takedown using a variety of tactics, including fast-flux networks and Conficker-like dynamic domain generation. Yet, such tactics can also pinpoint when such networks are being created by bot operators, according to research from the Georgia Institute of Technology.

The research found that dynamically detecting changes in the domain name system (DNS) can lead to the early detection of botnets. When bot masters create the infrastructure for a botnet, the reputation of the domain names can tip off defenders. In two papers, one released last year ( PDF) and one to be published in September, GATech researchers found that they can detect anomalies in the domain name system indicative of botnets and have documented recognition rates greater than 98 percent.

Also see " The botnet hunters"

Monday, network security firm Damballa announced a service based on the research to provide intelligence on botnet-infected systems. Called FirstAlert, the service can detect the characteristic DNS queries indicative of botnet infections inside a customer's network.

"If you can detect the domain abuse early enough in the infection lifecycle, then you can get ahead of the threat," says David Holmes, vice president of marketing for Damballa. "If we see a domain lookup in a customer environment we haven't seen before, we can say, that's interesting."

The two papers describe two systems. One, Notos, dynamically determines the reputation of a domain-name/IP-address pairs. The system collects DNS query data from registrars and analyzes the domain structure, focusing on the network and zone characteristics.

Also see: " What a botnet looks like"

"It builds models of known legitimate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate," writes Manos Antonakakis, a researcher at GATech and co-author of the paper.

The other, Kopis, can detect changes across the DNS infrastructure of a company, Internet service provider or the global Internet, that is characteristic of malicious networks. The systems require about 5 days of training to begin to detect botnets, Holmes says.

"Kopis is a machine learning technology," he says. "It has been trained or can be trained to understand lookup patterns and periodicity and profiles ... based on the diversity of the lookups."

The systems used together have been able to detect botnets, such as the IMDDOS and those built on SpyEye. Many times, it can detect botnets weeks before they actually go active and start sending out malware, Holmes says.

The technology is not meant to be used as a standalone service, but in conjunction with other expert systems such as spam engines. Notos, for example, will penalize legitimate Web sites that are hosted with a provider that also hosts malicious domain names.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SpyEyeapplicationsbot operatorscybercrimeNotosKopisData Protection | MalwareGeorgia Institute of TechnologybotnetslegalDNSbotnet detectionsoftwaremalicious domain namesdata protection

More about Georgia Institute of TechnologyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place