BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING

Iria Prieto, Eduardo Magaña, Daniel Morató, Mikel Izal

2011

Abstract

Computers connected to Internet are constantly threatened by different types of malware. One of the most important malware are botnets that convert infected computers into agents that follow actions instructed by a command-and-control server. A botmaster can control thousands of agents. This means a significant capacity to accomplish any kind of network attack (DoS), email spam or phishing. In this paper, communication peculiarities with the command-and-control server are used to provide an identification of computers infected by a botnet. This identification is based mainly in DNS records of registered domains where command-and-control servers are hosted. Therefore, processing overhead is reduced avoiding per packet or per flow network supervision.

References

  1. Binkley, R. and Singh, S. (2006). An Algorithm for Anomaly-based Botnet Detection. Computer Science, PSU, USENIX SRUTI: 7806 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet.
  2. Binkley, R. and Singh, S. (2006). An Algorithm for Anomaly-based Botnet Detection. Computer Science, PSU, USENIX SRUTI: 7806 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet.
  3. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., and Wang, L. (2010). On the analysis of the zeus botnet crimeware toolkit. In Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pages 31 -38.
  4. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., and Wang, L. (2010). On the analysis of the zeus botnet crimeware toolkit. In Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pages 31 -38.
  5. Chiang, K. and Lloyd, L. (2007). A case study of the rustock rootkit and spam bot. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 10-10, Berkeley, CA, USA. USENIX Association.
  6. Chiang, K. and Lloyd, L. (2007). A case study of the rustock rootkit and spam bot. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 10-10, Berkeley, CA, USA. USENIX Association.
  7. Dagon, D. (2005). Botnet Detection and Response, The Network is the Infection. In 1st DNS-OARC Workshop, Santa Clara, CA.
  8. Dagon, D. (2005). Botnet Detection and Response, The Network is the Infection. In 1st DNS-OARC Workshop, Santa Clara, CA.
  9. DiG (2009). Tool from the package dnsutils. http:// www.ubuntuupdates.org/packages/show/105545.
  10. DiG (2009). Tool from the package dnsutils. http:// www.ubuntuupdates.org/packages/show/105545.
  11. DNSDUMP (2010). Perl script that captures and displays DNS messages. http://dns.measurement-factory.com/ tools/dnsdump/.
  12. DNSDUMP (2010). Perl script that captures and displays DNS messages. http://dns.measurement-factory.com/ tools/dnsdump/.
  13. Feily, M., Shahrestani, A., and Ramadass, S. (2009). A Survey of Botnet and Botnet Detection. In Third International Conference on Emerging Security Information, Systems and Technologies, Athens/Glyfada, Greece.
  14. Feily, M., Shahrestani, A., and Ramadass, S. (2009). A Survey of Botnet and Botnet Detection. In Third International Conference on Emerging Security Information, Systems and Technologies, Athens/Glyfada, Greece.
  15. Goebel, J. and Holz, T. (2007). Rishi: Identify bot contaminated hosts by irc nickname evaluation. In First USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), Cambridge, MA.
  16. Goebel, J. and Holz, T. (2007). Rishi: Identify bot contaminated hosts by irc nickname evaluation. In First USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), Cambridge, MA.
  17. Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008a). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In 17th USENIX Security Symposium (Security'08), San Jose, CA.
  18. Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008a). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In 17th USENIX Security Symposium (Security'08), San Jose, CA.
  19. Gu, G., Zhang, J., and Lee, W. (2008b). Botsniffer: Detecting botnet command and control channels in network traffic. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA.
  20. Gu, G., Zhang, J., and Lee, W. (2008b). Botsniffer: Detecting botnet command and control channels in network traffic. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA.
  21. Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA.
  22. Holz, T., Gorecki, C., Rieck, K., and Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA.
  23. Jae-Seo, L., HyunCheol, J., Jun-Hyung, P., Minsoo, K., and Bong-Nam, N. (2008). The activity analysis of malicious http-based botnets using degree of periodic repeatability. In Security Technology, 2008. SECTECH 7808. International Conference on, pages 83 -86.
  24. Jae-Seo, L., HyunCheol, J., Jun-Hyung, P., Minsoo, K., and Bong-Nam, N. (2008). The activity analysis of malicious http-based botnets using degree of periodic repeatability. In Security Technology, 2008. SECTECH 7808. International Conference on, pages 83 -86.
  25. John, J. P., Moshchuk, A., D.Gribble, S., and Krishnamurthy, A. (2009). Studying spamming botnets using botlab. In Proceedings of the 6th USENIX symposium on Networked systems design and implementation, pages 291-306, Berkeley, CA, USA. USENIX Association.
  26. John, J. P., Moshchuk, A., D.Gribble, S., and Krishnamurthy, A. (2009). Studying spamming botnets using botlab. In Proceedings of the 6th USENIX symposium on Networked systems design and implementation, pages 291-306, Berkeley, CA, USA. USENIX Association.
  27. Jones, J. K. and Romney, G. W. (2004). Honeynets: an educational resource for it security. In Proceedings of the 5th conference on Information technology education, CITC5 7804, pages 24-28, New York, NY, USA. ACM.
  28. Jones, J. K. and Romney, G. W. (2004). Honeynets: an educational resource for it security. In Proceedings of the 5th conference on Information technology education, CITC5 7804, pages 24-28, New York, NY, USA. ACM.
  29. Net-Whois (2010). Module for parsing WHOIS information. http://search.cpan.org/~ivsokolov/Net-WhoisParser-0.05/.
  30. Net-Whois (2010). Module for parsing WHOIS information. http://search.cpan.org/~ivsokolov/Net-WhoisParser-0.05/.
  31. Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. (2008). Fluxor: Detecting and monitoring fast-flux service networks. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 7808, pages 186-206, Berlin, Heidelberg. Springer-Verlag.
  32. Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. (2008). Fluxor: Detecting and monitoring fast-flux service networks. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 7808, pages 186-206, Berlin, Heidelberg. Springer-Verlag.
  33. Perdisci, R., Corona, I., Dagon, D., and Lee, W. (2009). Detecting malicious flux service networks through passive analysis of recursive dns traces. In Computer Security Applications Conference, 2009. ACSAC 7809. Annual, pages 311 -320.
  34. Perdisci, R., Corona, I., Dagon, D., and Lee, W. (2009). Detecting malicious flux service networks through passive analysis of recursive dns traces. In Computer Security Applications Conference, 2009. ACSAC 7809. Annual, pages 311 -320.
  35. Porras, P., Sadi, H., and Yegneswaran, V. (2009). A foray into confickers logic and rendezvous points. In In USENIX Workshop on Large-Scale Exploits and Emergent Threats.
  36. Porras, P., Sadi, H., and Yegneswaran, V. (2009). A foray into confickers logic and rendezvous points. In In USENIX Workshop on Large-Scale Exploits and Emergent Threats.
  37. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 7809, pages 635-647, New York, NY, USA. ACM.
  38. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 7809, pages 635-647, New York, NY, USA. ACM.
  39. Villamarn-Salomon, R. and Brustoloni, J. (2008). Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic. In 5th Annual Consumer IEEE Communications and Networking Conference (CCNC2008).
  40. Villamarn-Salomon, R. and Brustoloni, J. (2008). Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic. In 5th Annual Consumer IEEE Communications and Networking Conference (CCNC2008).
  41. Wget-tool (2009). GNU Wget package for retrieving files using HTTP, HTTPS and FTP. http:// www.gnu.org/software/wget/.
  42. Wget-tool (2009). GNU Wget package for retrieving files using HTTP, HTTPS and FTP. http:// www.gnu.org/software/wget/.
  43. Yadav, S., Reddy, A. K. K., Reddy, A. N., and Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. In Proceedings of the 10th annual conference on Internet measurement (IMC2010), IMC 7810, pages 48-61, New York, NY, USA. ACM.
  44. Yadav, S., Reddy, A. K. K., Reddy, A. N., and Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. In Proceedings of the 10th annual conference on Internet measurement (IMC2010), IMC 7810, pages 48-61, New York, NY, USA. ACM.
  45. Zeljka, Z. (2009). Top 10 botnets and their impact. http:// www.net-security.org/secworld.php?id=8599.
  46. Zeljka, Z. (2009). Top 10 botnets and their impact. http:// www.net-security.org/secworld.php?id=8599.
  47. ZeusTracker (2011). The ZeuS Tracker tracks ZeuS Command and Control servers. https:// zeustracker.abuse.ch/.
  48. ZeusTracker (2011). The ZeuS Tracker tracks ZeuS Command and Control servers. https:// zeustracker.abuse.ch/.
  49. Zhaosheng, Z., Guohan, L., Yan, C., Fu, Z., Roberts, P., and Keesook, H. (2008). Botnet research survey. In Computer Software and Applications, 2008. COMPSAC 7808. 32nd Annual IEEE International, pages 967 -972.
  50. Zhaosheng, Z., Guohan, L., Yan, C., Fu, Z., Roberts, P., and Keesook, H. (2008). Botnet research survey. In Computer Software and Applications, 2008. COMPSAC 7808. 32nd Annual IEEE International, pages 967 -972.
Download


Paper Citation


in Harvard Style

Prieto I., Magaña E., Morató D. and Izal M. (2011). BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 307-316. DOI: 10.5220/0003522903070316


in Harvard Style

Prieto I., Magaña E., Morató D. and Izal M. (2011). BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 307-316. DOI: 10.5220/0003522903070316


in Bibtex Style

@conference{secrypt11,
author={Iria Prieto and Eduardo Magaña and Daniel Morató and Mikel Izal},
title={BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={307-316},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003522903070316},
isbn={978-989-8425-71-3},
}


in Bibtex Style

@conference{secrypt11,
author={Iria Prieto and Eduardo Magaña and Daniel Morató and Mikel Izal},
title={BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={307-316},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003522903070316},
isbn={978-989-8425-71-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING
SN - 978-989-8425-71-3
AU - Prieto I.
AU - Magaña E.
AU - Morató D.
AU - Izal M.
PY - 2011
SP - 307
EP - 316
DO - 10.5220/0003522903070316


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - BOTNET DETECTION BASED ON DNS RECORDS AND ACTIVE PROBING
SN - 978-989-8425-71-3
AU - Prieto I.
AU - Magaña E.
AU - Morató D.
AU - Izal M.
PY - 2011
SP - 307
EP - 316
DO - 10.5220/0003522903070316