New method finds botnets that hide behind changing domains

By , CSO |  Security, botnets, security

Texas A&M officials say Reddy's method looks at the pattern and distribution of alphabetic characters in a domain name to determine whether it's malicious or legitimate. This allows them to spot botnets' algorithmically generated domain names.

"Our method analyzes only DNS traffic and hence is easily scalable to large networks," said Reddy. "It can detect previously unknown botnets by analyzing a small fraction of the network traffic."

Botnets using both IP fast-flux and domain fast-flux can also be detected by the proposed technique, according to Reddy. IP fast-flux is a round-robin method where malicious websites are constantly rotated across several IP addresses, changing their DNS records to prevent their discovery by researchers, ISPs or law enforcement. Reddy's new detection method discovered two new botnets with their method. One of the new botnets generates 57 character long random names and the second botnet generates names using a concatenation of two dictionary words.

CERT, a nationwide network security coordination lab based at Carnegie Mellon University, is building a tool based on Reddy's technique and plans to distribute it for public use.

Read more about data protection in CSOonline's Data Protection section.

Originally published on CSO |  Click here to read the original story.
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question