Researchers devise new method of detecting botnets

Mar 25, 2011

(PhysOrg.com) -- With the threat of Botnets increasing, researchers in the Department of Electrical and Computer Engineering at Texas A&M University have devised a new method to detect their activity.

A botnet, or robot network, is a term used to describe a collection of computers that have been compromised by a worm or Trojan horse, allowing an attacker to remotely control the systems. Victims are typically unaware that they are infected or that their system is being controlled remotely by a botnet administrator.

Dr. Narasimha Reddy — in collaboration with his students Sandeep Yadav and Ashwath Reddy at Texas A&M and Supranamaya “Soups” Ranjan with Narus Inc. — came up with a method of detecting botnets like Conficker, Kraken and Torpig that use so-called DNS domain-fluxing for their command and control (C&C) infrastructure.

Domain-fluxing bots typically generate random domain names; a bot basically queries a series of domain names, but the domain owner registers just one. To get to the C&C, botnet researchers typically reverse-engineer the bot malware and figure out the domains that are generated on a regular basis, a time- and resource-intensive process, in an attempt to discern all of the domain names that would be registered by a botnet so they can jump ahead and register them in order gain a foothold in their investigation.

While there are other methods of detection, Reddy’s method basically looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it’s malicious or legitimate. This allows them to spot botnets’ algorithmically generated (rather than generated by humans) .

“Our method analyzes only DNS traffic and hence is easily scalable to large networks,” said Reddy, the J.W. Runyon, Jr. ’35 Professor I in the department. “It can detect previously unknown botnets by analyzing a small fraction of the network traffic.”

Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy’s new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second generates names using a concatenation of two dictionary words.

CERT, a nationwide network security coordination lab, is building a tool based on Reddy’s technique and this tool will be widely distributed for public use. Reddy expects this to be a useful tool because of its speed and simplicity.

Explore further: 'Off-the-shelf' equipment used to digitize insects in 3-D

More information: Further details on their research are available here.

Provided by Texas A&M University

4 /5 (6 votes)

Related Stories

Botnet Hijacking Steals 70GB of Data

May 05, 2009

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

74,000 .eu domain names suspended

Jul 24, 2006

At least 74,000 domain names ending with .eu have been suspended for abusive behavior by a group that controls the name.

Domain registry on the rise

Apr 27, 2006

Internet domain names may become as ubiquitous as Social Security numbers one day, according to Dotster Inc.

Researchers: Botnets Getting Beefier

Apr 17, 2007

Botnets are moving to more resilient architectures and more sophisticated encryption that will make them even harder to track and fight, researchers say at HotBots, a Usenix event.

Recommended for you

Tackling urban problems with Big Data

5 hours ago

Paul Waddell, a city planning professor at the University of California, Berkeley, with a penchant for conducting research with what he calls his "big urban data," is putting his work to a real-world test ...

Computer-assisted accelerator design

Apr 22, 2014

Stephen Brooks uses his own custom software tool to fire electron beams into a virtual model of proposed accelerator designs for eRHIC. The goal: Keep the cost down and be sure the beams will circulate in ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Moebius
not rated yet Mar 26, 2011
This is one of the failings of an open society with the free distribution of information. Some things should be kept secret. Like this technique for identifying botnets. Releasing info like this just gives the scumbags of the world the tools they need to improve their methods.

More news stories

Facebook buys fitness app Moves

Facebook has bought the fitness app Moves, which helps users monitor daily physical activity and their calorie counts on a smartphone.

Genetic code of the deadly tsetse fly unraveled

Mining the genome of the disease-transmitting tsetse fly, researchers have revealed the genetic adaptions that allow it to have such unique biology and transmit disease to both humans and animals.

Ocean microbes display remarkable genetic diversity

The smallest, most abundant marine microbe, Prochlorococcus, is a photosynthetic bacteria species essential to the marine ecosystem. An estimated billion billion billion of the single-cell creatures live i ...