Researchers devise new method of detecting botnets

Mar 25, 2011

(PhysOrg.com) -- With the threat of Botnets increasing, researchers in the Department of Electrical and Computer Engineering at Texas A&M University have devised a new method to detect their activity.

A botnet, or robot network, is a term used to describe a collection of computers that have been compromised by a worm or Trojan horse, allowing an attacker to remotely control the systems. Victims are typically unaware that they are infected or that their system is being controlled remotely by a botnet administrator.

Dr. Narasimha Reddy — in collaboration with his students Sandeep Yadav and Ashwath Reddy at Texas A&M and Supranamaya “Soups” Ranjan with Narus Inc. — came up with a method of detecting botnets like Conficker, Kraken and Torpig that use so-called DNS domain-fluxing for their command and control (C&C) infrastructure.

Domain-fluxing bots typically generate random domain names; a bot basically queries a series of domain names, but the domain owner registers just one. To get to the C&C, botnet researchers typically reverse-engineer the bot malware and figure out the domains that are generated on a regular basis, a time- and resource-intensive process, in an attempt to discern all of the domain names that would be registered by a botnet so they can jump ahead and register them in order gain a foothold in their investigation.

While there are other methods of detection, Reddy’s method basically looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it’s malicious or legitimate. This allows them to spot botnets’ algorithmically generated (rather than generated by humans) .

“Our method analyzes only DNS traffic and hence is easily scalable to large networks,” said Reddy, the J.W. Runyon, Jr. ’35 Professor I in the department. “It can detect previously unknown botnets by analyzing a small fraction of the network traffic.”

Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy’s new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second generates names using a concatenation of two dictionary words.

CERT, a nationwide network security coordination lab, is building a tool based on Reddy’s technique and this tool will be widely distributed for public use. Reddy expects this to be a useful tool because of its speed and simplicity.

Explore further: MIT groups develop smartphone system THAW that allows for direct interaction between devices

More information: Further details on their research are available here.

Provided by Texas A&M University

4 /5 (6 votes)

Related Stories

Botnet Hijacking Steals 70GB of Data

May 05, 2009

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

74,000 .eu domain names suspended

Jul 24, 2006

At least 74,000 domain names ending with .eu have been suspended for abusive behavior by a group that controls the name.

Domain registry on the rise

Apr 27, 2006

Internet domain names may become as ubiquitous as Social Security numbers one day, according to Dotster Inc.

Researchers: Botnets Getting Beefier

Apr 17, 2007

Botnets are moving to more resilient architectures and more sophisticated encryption that will make them even harder to track and fight, researchers say at HotBots, a Usenix event.

Recommended for you

Oculus unveils new prototype VR headset

12 hours ago

Oculus has unveiled a new prototype of its virtual reality headset. However, the VR company still isn't ready to release a consumer edition.

Computerized emotion detector

Sep 16, 2014

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Moebius
not rated yet Mar 26, 2011
This is one of the failings of an open society with the free distribution of information. Some things should be kept secret. Like this technique for identifying botnets. Releasing info like this just gives the scumbags of the world the tools they need to improve their methods.