Researchers devise new method of detecting botnets

Mar 25, 2011

(PhysOrg.com) -- With the threat of Botnets increasing, researchers in the Department of Electrical and Computer Engineering at Texas A&M University have devised a new method to detect their activity.

A botnet, or robot network, is a term used to describe a collection of computers that have been compromised by a worm or Trojan horse, allowing an attacker to remotely control the systems. Victims are typically unaware that they are infected or that their system is being controlled remotely by a botnet administrator.

Dr. Narasimha Reddy — in collaboration with his students Sandeep Yadav and Ashwath Reddy at Texas A&M and Supranamaya “Soups” Ranjan with Narus Inc. — came up with a method of detecting botnets like Conficker, Kraken and Torpig that use so-called DNS domain-fluxing for their command and control (C&C) infrastructure.

Domain-fluxing bots typically generate random domain names; a bot basically queries a series of domain names, but the domain owner registers just one. To get to the C&C, botnet researchers typically reverse-engineer the bot malware and figure out the domains that are generated on a regular basis, a time- and resource-intensive process, in an attempt to discern all of the domain names that would be registered by a botnet so they can jump ahead and register them in order gain a foothold in their investigation.

While there are other methods of detection, Reddy’s method basically looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it’s malicious or legitimate. This allows them to spot botnets’ algorithmically generated (rather than generated by humans) .

“Our method analyzes only DNS traffic and hence is easily scalable to large networks,” said Reddy, the J.W. Runyon, Jr. ’35 Professor I in the department. “It can detect previously unknown botnets by analyzing a small fraction of the network traffic.”

Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy’s new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second generates names using a concatenation of two dictionary words.

CERT, a nationwide network security coordination lab, is building a tool based on Reddy’s technique and this tool will be widely distributed for public use. Reddy expects this to be a useful tool because of its speed and simplicity.

Explore further: Computer software accurately predicts student test performance

More information: Further details on their research are available here.

Provided by Texas A&M University

4 /5 (6 votes)

Related Stories

Botnet Hijacking Steals 70GB of Data

May 05, 2009

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

74,000 .eu domain names suspended

Jul 24, 2006

At least 74,000 domain names ending with .eu have been suspended for abusive behavior by a group that controls the name.

Domain registry on the rise

Apr 27, 2006

Internet domain names may become as ubiquitous as Social Security numbers one day, according to Dotster Inc.

Researchers: Botnets Getting Beefier

Apr 17, 2007

Botnets are moving to more resilient architectures and more sophisticated encryption that will make them even harder to track and fight, researchers say at HotBots, a Usenix event.

Recommended for you

Sony's PlayStation 4 sales top seven million

2 hours ago

Sony says it has sold seven million PlayStation 4 worldwide since its launch last year and admitted it can't make them fast enough, in a welcome change of fortune for the Japanese consumer electronics giant.

Weibo IPO below expectations, raises $285.6 mn

2 hours ago

Sina Weibo sold fewer shares than expected in its US IPO which was priced below expectations ahead of a Thursday listing that takes place after tech selloffs on Wall Street.

'Chief Yahoo' David Filo returns to board

3 hours ago

Yahoo announced the nomination of three new board members, including company co-founder David Filo, who earned the nickname and formal job title of "Chief Yahoo."

Fired Yahoo exec gets $58M for 15 months of work

4 hours ago

Yahoo's recently fired chief operating officer, Henrique de Castro, left the Internet company with a severance package of $58 million even though he lasted just 15 months on the job.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Moebius
not rated yet Mar 26, 2011
This is one of the failings of an open society with the free distribution of information. Some things should be kept secret. Like this technique for identifying botnets. Releasing info like this just gives the scumbags of the world the tools they need to improve their methods.

More news stories

Sony's PlayStation 4 sales top seven million

Sony says it has sold seven million PlayStation 4 worldwide since its launch last year and admitted it can't make them fast enough, in a welcome change of fortune for the Japanese consumer electronics giant.

Robotics goes micro-scale

(Phys.org) —The development of light-driven 'micro-robots' that can autonomously investigate and manipulate the nano-scale environment in a microscope comes a step closer, thanks to new research from the ...

Biologists help solve fungi mysteries

(Phys.org) —A new genetic analysis revealing the previously unknown biodiversity and distribution of thousands of fungi in North America might also reveal a previously underappreciated contributor to climate ...