March 28, 2011, 1:47 PM — Researchers at Texas A&M University say they have a new method for finding domain-fluxing botnets, which evade detection by constantly alternating domain names.
Dr. Narasimha Reddy, who works in the University's Department of Electrical and Computer Engineering, collaborated with student Sandeep Yadav and Ashwath Reddy, as well as with Supranamaya "Soups" Ranjan with Narus Inc., to develop the new method. It can be used to detect botnets like Conficker, Kraken and Torpig, which use the so-called DNS domain-fluxing for their command and control infrastructure.
Domain-fluxing bots generate random domain names; a bot queries a series of domain names, but the domain owner registers just one. As an example, the research points to Conficker-A, which generated 250 domains every three hours. In order to make it harder for a security vendor to pre-register the domain names, the next version, Conficker-C, increased the number of randomly generated domain names per bot to 50,000.
MORE ON THE BOTNET WAR
The research also finds Torpig bots "employ an interesting trick where the seed for the random string generator is based on one of the most popular trending topics in Twitter." Kraken, according to the report, employs a much more sophisticated random word generator and constructs English-language alike words with properly matched vowels and consonants. The randomly generated word is combined with a suffix chosen randomly from a pool of common English nouns, verbs, adjective and adverb suffixes, said researchers.
Current detection methods require botnet researchers to reverse-engineer the bot malware and figure out the domains that are generated on a regular basis in order to get to the C&C. Security vendors have to pre-register all the domains that a bot queries every day, even before the botnet owner registers them. It's a time-intensive process, researchers argue in their report.