Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2010
05:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Technique Spots Sneaky Botnets

Tool could be used to detect activity from botnets such as Conficker, Kraken, and Torpig, which rotate domains in an effort to evade discovery and stay alive

Researchers have devised a new method to root out botnets that try to hide behind alternating domain names.

Supranamaya "Soups" Ranjan, a research scientist, says he and a team of colleagues came up with a prototype method of detecting botnets like Conficker, Kraken, and Torpig that use so-called DNS domain-fluxing for their command and control (C&C) infrastructure. Domain-fluxing, also known as domain generation algorithm (DGA), randomly generates domain names; a bot basically queries a series of domain names, but the domain owner registers just one. To get to the C&C, botnet researchers typically reverse-engineer the bot malware and figure out the domains that are generated on a regular basis -- a time- and resource-intensive process in an attempt to discern all of the domain names that would be registered by a botnet so they can jump ahead and register them in order gain a foothold in their investigation.

"Botnets such as Kraken, Conficker, and Torpig came up with domain fast-flux, where even the domain name that each bot queries for is randomly generated," Ranjan says. "Each bot queries for tens of thousands of domain names hoping that the botnet operator has registered for at least one of them via DNS. Now consider security vendors, who in this situation have no way of predicting which DNS queries are related to a botnet."

Ranjan, who is with Narus Inc., and Sandeep Yadav, Ashwath Reddy, and A.L. Narasimha Reddy, all with Texas A&M, created a method of studying in real-time all DNS traffic for domain-flux activity. The researchers presented their findings this week at the ACM Measurement Conference in Melbourne. Their method basically looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it's malicious or legitimate: This allows them to spot botnets' algorithmically generated (rather than generated by humans) domain names. Bottom line: Given that most domain names are already taken, botnet operators have to go with gibberish-looking names like Conficker does: joftvvtvmx.org, gcvwknnxz.biz, and vddxnvzqjks.ws, which their bots generate.

Domain-fluxing makes the botnet researcher's job of tracking botnets even more difficult. "This [domain-fluxing] is obviously a defensive headache for us, but for the attacker it exposes possible future rally points that the good guys can block," says Jose Nazario, senior security researcher at Arbor Networks. "We expect this trend to continue, so the work [here] makes sense: speed up the identification of these in the malcode analysis steps or from packet traces, making analysis more efficient."

Conficker-A, for example, generated about 250 different domains every three hours while using the current date and time at UTC, according to Ranjan and his team. The Conficker creators upped the ante with Conficker-C, generating 50,000 domain names per bot to make it more difficult for a researcher to preregister the domain names, they said in their report.

But this isn't the only method for tracing these stealthy botnets. Gunter Ollmann, vice president of research at Damballa, says a dynamic reputation system method developed by researchers at Georgia Tech works well. "This is probably the most advanced assisted machine-learning approach to the problem," he says. It doesn't require seeing copies of the malware to detect the botnets using domain-fluxing, he says.

And another technique used by Damballa performs so-called NX Domain analysis, Ollmann says, which has been used since 2009. When a domain is generated that doesn't exist, the TLD name server responds with a so-called NX response, meaning the domain doesn't exist. "It's relatively simple to detect at the network level the fluxing attempts by the malware to located these dynamically generated domains, and to also see the number/heuristics of the NX Domain responses from the DNS servers," Ollmann says. "Simple machine-learning algorithms are trained using known data sets for an assortment of malware samples, and the system then automatically detects new, known or suspicious malware infections. The clustering algorithms automatically identify the malware family."

Narus' Ranjan says the NX Domain analysis is limited in that it can only find DNS anomalies, when too many DNS queries return failure messages, for example. "So they may be used as a first signal for detecting domain flux. Our methodology goes one step further and we can distinguish between cases of legitimate queries that are returning failure responses -- due to network failures -- versus domain flux queries," he says.

He says his method also differs from Georgia Tech's in that it uses more detailed statistics about the domain names.

But the next big thing, he says, is botnets using both IP fast-flux and domain fast-flux, something his team has already spotted in the wild. IP fast-flux is a round-robin method where infected bots serve as proxies or hosts for malicious websites and are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement. Ranjan says his team's new detection method also works for detecting IP fast flux.

While running the prototype against live traffic, the researchers found some new botnet behavior from a botnet they've christened "Storm2.0." "The domain names mapping to the C&C server IP address are composed of two words from the English language. A similar behavior is observed with the [original] Storm botnet where the domain names were composed of one English language word and a randomized string," Ranjan says.

All of the domain names for Storm2.0 are in the ".ru" top-layer domain, he says. "In fact, we observed several IP addresses for Storm2.0, once again highlighting that bots have begun using a combination of domain- as well as IP-fluxing," he says.

Ranjan says organizations need to incorporate this type of analysis in order to fight botnets. "A system such as ours should be the first alarm that goes off whenever a new domain fast-flux botnet becomes active. After that an organization can take steps to capture the traffic corresponding to the IP addresses suspected to harbor such bots and examine them further to develop signatures," he says. "But not the other way around, where previously researchers had to scramble to discover the exact algorithm used by Conficker and only then did they register all the domain names that Conficker was going to query for."

Full technical details on the research are available here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).