Tactics from online criminals to harden their botnets against takedown are getting a bit more complex as they use things like fast-flux networks and Conficker-like dynamic domain generation.
But with more items these criminals have to create, it can be easier to point out when these networks are on the system, said researchers at Georgia Institute of Technology.
Dynamically detecting changes in the domain name system (DNS) can lead to the early detection of botnets. When bot masters create the infrastructure for a botnet, the reputation of the domain names can tip off defenders. In two papers, one released last year and one to be published in September, Georgia Tech researchers found they can detect anomalies in the domain name system indicative of botnets and have documented recognition rates greater than 98 percent.
Network security firm Damballa unveiled a service based on the research to provide intelligence on botnet-infected systems. The service, called FirstAlert, can detect the characteristic DNS queries indicative of botnet infections inside a customer’s network.
“If you can detect the domain abuse early enough in the infection lifecycle, then you can get ahead of the threat,” says David Holmes, vice president of marketing for Damballa. “If we see a domain lookup in a customer environment we haven’t seen before, we can say, that’s interesting.”
The two papers describe two systems. One, Notos, dynamically determines the reputation of a domain-name/IP-address pairs. The system collects DNS query data from registrars and analyzes the domain structure, focusing on the network and zone characteristics.
“It builds models of known legitimate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate,” said Manos Antonakakis, a researcher at Georgia Tech and co-author of the paper.
The other, Kopis, can detect changes across the DNS infrastructure of a company, Internet service provider or the global Internet characteristic of malicious networks. The systems require about 5 days of training to begin to detect botnets, Holmes says.
“Kopis is a machine learning technology,” he says. “It has been trained or can be trained to understand lookup patterns and periodicity and profiles … based on the diversity of the lookups.”
The systems used together have been able to detect botnets, such as the IMDDOS and those built on SpyEye. In some cases, it can detect botnets weeks before they actually go active and start sending out malware, Holmes said.
The technology is not a standalone service, but it should work in conjunction with other expert systems such as spam engines. Notos, for example, will penalize legitimate Web sites hosted with a provider that also hosts malicious domain names.