ABSTRACT
Botnets represent a major and formidable threat in modern computing, and security researchers are engaged in constant and escalating battle with the writers of such malware to detect and mitigate it. Current advanced malware behaviors include encryption of communications between the botmaster and the bot machines as well as various strategies for resilience and obfuscation. These techniques have taken full advantage of the infrastructure in place to support the increased connectivity between computers around the world. This includes updates and upgrades to DNS that have been leveraged to meet its increased utilization. In this paper, we analyze the current uses of DNS by botnet malware writers and operators and examine possible clues that network administrators and savvy computer users can utilize to identify and or mitigate the threat.
- Thakar, N. Mar 28, 2013. Botnets Remain a Leading Threat. DOI= https://blogs.mcafee.com/business/security-connected/tackling-the-botnet-threatGoogle Scholar
- Bots and Botnets -- A Growing Threat. DOI= http://us.norton.com/botnet/Google Scholar
- Comey, J. B. November 14, 2013. Statement Before the Senate Committee on Homeland Security and Governmental Affairs. DOI = http://www.fbi.gov/news/testimony/homeland-threats-and-the-fbis-responseGoogle Scholar
- Tyagi, A. K., & Aghila, G. 2011. A wide scale survey on botnet. International Journal of Computer Applications, 34(9), 10--23.Google Scholar
- Silva, S. S., Silva, R. M., Pinto, R. C., & Salles, R. M. 2013. Botnets: A survey. Computer Networks, 57(2), 378403. Google ScholarDigital Library
- Bos, H., van Steen, M., & Pohlmann, N. 2011. On Botnets that use DNS for Command and Control.Google Scholar
- Far, A.H., Jahankhani, H., & Ghazihesami, R. 2009. Botnet Future Trend. DOI= http://www.kaspersky.com/au/images/botnet_future_trend.pdfGoogle Scholar
- Ollmann, G. 2009. Botnet communication topologies. Retrieved September, 30, 2009.Google Scholar
- Ars Technica. 2013. A beginner's guide to building botnets with little assembly required. DOI = http://arstechnica.com/security/2013/04/a-beginners-guideto-building-botnets-with-little-assembly-required/Google Scholar
- Porras, P., Saidi, H., Yegneswaran, V. 2009. An Analysis of Conficker's Logic and Rendezvous Points DOI = http://mtc.sri.com/Conficker/Google Scholar
- Burton, K. 2009. The Conficker Worm. DOI = https://www.sans.org/securityresources/malwarefaq/conficker-worm.phpGoogle Scholar
- Selter, L. 2014. Conficker: Still spamming after all these years. DOI= http://www.zdnet.com/article/conficker-stillspamming-after-all-these-years/Google Scholar
- ICANN.org. 2010. Conficker Summary and Review. DOI = http://icann.org/en/security/conficker-summary-review07may10-en.pdfGoogle Scholar
- An Ever Changing Enemy. 2007. Salusky, W., Danford, R. DOI = https://www.honeynet.org/book/export/html/130Google Scholar
- Bromberger, S.. DNS as a covert channel within protected networks. Technical report, National Electronic Sector Cyber Security Organization, 2011. DOI= http://energy.gov/sites/prod/files/oeprod/-DocumentsandMedia/DNS Exfiltration 2011-01-01 v1.1.pdfGoogle Scholar
- Rasmussen, R. 2012. Do you know what your dns resolver is doing right now? Security Week. DOI= http://www.securityweek.com/do-you-know-what-your-dnsresolver-doing-right-nowGoogle Scholar
- The role of DNS in botnet command & control. Technical report, OpenDNS, 2012. DOI= http://info.opendns.com/rs/opendns/images/OpenDNS SecurityWhitep-Aper- DNSRoleInBotnets.pdfGoogle Scholar
- Dietrich, C., Rossow, C., Freiling, F., Bos, H., van Steen, M., & Pohlmann, N. (2011). On Botnets that use DNS for Command and Control.Google ScholarDigital Library
- Sloan, R., Warner, R. 2010. Unauthorized Access: The crisis in online privacy and security. CRC Press. Google ScholarDigital Library
- SANS Institute. Shedding Light on Security Incidents Using Network Flows. DOI= http://www.sans.org/readingroom/whitepapers/networkdevs/shedding-light-securityincidents-network-flows-33935Google Scholar
- Tegeler, F., Fu, X., Vigna, G., & Kruegel, C. 2012, December. Botfinder: Finding bots in network traffic without deep packet inspection. In Proceedings of the 8th international conference on Emerging networking experiments and technologies (pp. 349--360). ACM. Google ScholarDigital Library
- Gu, G., Zhang, J., & Lee, W. 2008. BotSniffer: Detecting botnet command and control channels in network traffic.Google Scholar
- Wijesinghe, U., Tupakula, U., & Varadharajan, V. 2015, January. An Enhanced Model for Network Flow Based Botnet Detection. In Proceedings of the 38th Australasian Computer Science Conference (ACSC 2015) (Vol. 27, p. 30).Google Scholar
- SANS Institute. DNS Sinkholes. DOI= http://www.sans.org/reading-room/whitepapers/dns/dnssinkhole-33523Google Scholar
- CERT POLSKA. Report 2013. DOI = http://www.cert.pl/PDF/Report_CP_2013.pdfGoogle Scholar
- Fabian, M. A. R. J. Z., & Terzis, M. A. 2007. My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets, Cambridge, USA. Google ScholarDigital Library
- Plohmann, D., Gerhards-Padilla, E., & Leder, F. 2011. Botnets: Detection, measurement, disinfection & defence. The European Network and Information Security Agency (ENISA).Google Scholar
- Munro, K. 2015. How To Build Intelligence for Your Business by Creating a Honeynet. DOI= http://www.techradar.com/us/news/world-of-tech/how-tobuild-threat-intelligence-for-your-business-by-creating-ahoneynet-1283368Google Scholar
- Martin, W. 2001. Honey Pots and Honey Nets: Security through deception. DOI= http://www.sans.org/readingroom/whitepapers/attacking/honey-pots-honey-nets-securitydeception-41Google Scholar
- Born, K. and Gustafson, D. Detecting DNS tunnels using character frequency analysis. In Annual Security Conference, Las Vegas, NV, USA, Apr. 2010Google Scholar
- Dagon, D., Zou, C. C., & Lee, W. (2006, February). Modeling Botnet Propagation Using Time Zones. In NDSS (Vol. 6, pp. 2--13).Google Scholar
- Canavan, J. 2005, October. The evolution of malicious IRC bots. In Virus Bulletin Conference (pp. 104--114).Google Scholar
- Wyke, J. 2012, September. Over 9 million PCs infected -- ZeroAccess botnet uncovered. DOI = https://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/Google Scholar
- Khan, M., Bi, Z., & Copeland, J. A. (2012). Software updates as a security metric: Passive identification of update trends and effect on machine infection. In MILCOM 2012--2012 IEEE Military Communications Conference.Google ScholarCross Ref
- Gayer, O., Atias, R., and Zeifman, I. 2015, May 12. Lax security opens the door for mass-scale abuse of SOHO routers. Incapsula Blog. DOI= https://www.incapsula.com/blog/ddos-botnet-soho-router.htmlGoogle Scholar
- Regnauld, P., Allen, H. 2009. DNSSEC Overview. PacNOG. DOI = https://nsrc.org/workshops/2009/pacnog5/meeting/DNSSEC/Google Scholar
- Chen, J., McCullough, J., and Snoeren A. C. Universal Honeyfarm Containment. Technical Report. CS2007-0902, UCSD, September 2007.Google Scholar
- Cui,W., Paxson, W., and Weaver, N. 2006, September. GQ: Realizing a System to Catch Worms in a Quarter Million Places. Technical Report TR-06-004, International Computer Science Institute,.Google Scholar
- Kreibich, C., Weaver, N., Kanich, C., Cui, W., & Paxson, V. (2011, November). GQ: Practical containment for measuring modern malware systems. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement (pp. 397--412). ACM. Google ScholarDigital Library
Index Terms
- A Study on Botnets Utilizing DNS
Recommendations
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Behavioral analysis of botnets for threat intelligence
This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals ...
Comments