CSO - Online criminals have evolved their tactics to harden their botnets against takedown using a variety of tactics, including fast-flux networks and Conficker-like dynamic domain generation. Yet, such tactics can also pinpoint when such networks are being created by bot operators, according to research from the Georgia Institute of Technology.
The research found that dynamically detecting changes in the domain name system (DNS) can lead to the early detection of botnets. When bot masters create the infrastructure for a botnet, the reputation of the domain names can tip off defenders. In two papers, one released last year ( PDF) and one to be published in September, GATech researchers found that they can detect anomalies in the domain name system indicative of botnets and have documented recognition rates greater than 98 percent.
Also see "The botnet hunters"
Monday, network security firm Damballa announced a service based on the research to provide intelligence on botnet-infected systems. Called FirstAlert, the service can detect the characteristic DNS queries indicative of botnet infections inside a customer's network.
"If you can detect the domain abuse early enough in the infection lifecycle, then you can get ahead of the threat," says David Holmes, vice president of marketing for Damballa. "If we see a domain lookup in a customer environment we haven't seen before, we can say, that's interesting."
The two papers describe two systems. One, Notos, dynamically determines the reputation of a domain-name/IP-address pairs. The system collects DNS query data from registrars and analyzes the domain structure, focusing on the network and zone characteristics.
[ Also see: "What a botnet looks like"]
"It builds models of known legitimate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate," writes Manos Antonakakis, a researcher at GATech and co-author of the paper.
The other, Kopis, can detect changes across the DNS infrastructure of a company, Internet service provider or the global Internet, that is characteristic of malicious networks. The systems require about 5 days of training to begin to detect botnets, Holmes says.
"Kopis is a machine learning technology," he says. "It has been trained or can be trained to understand lookup patterns and periodicity and profiles ... based on the diversity of the lookups."
The systems used together have been able to detect botnets, such as the IMDDOS and those built on SpyEye. Many times, it can detect botnets weeks before they actually go active and start sending out malware, Holmes says.
The technology is not meant to be used as a standalone service, but in conjunction with other expert systems such as spam engines. Notos, for example, will penalize legitimate Web sites that are hosted with a provider that also hosts malicious domain names.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Endpoint Security White Papers | Webcasts