infosec-news February 2011 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Tracking The Botnet's DNS Trail

[ISN] Tracking The Botnet's DNS Trail

From: InfoSec News <alerts_at_nospam>
Date: Wed Feb 09 2011 - 07:27:36 GMT

By Kelly Jackson Higgins
Feb 08, 2011

A researcher is looking at mapping trends in Domain Name System (DNS)
queries to better pinpoint stealthy botnet activity and ultimately the
botnet's command and control (C&C) infrastructure.

Zhi-Li Zhang, a professor at the University of Minnesota, is looking at
new methods for detecting botnets that try to hide behind alternating
domain names in what's called DNS domain-fluxing -- also known as domain
generation algorithm (DGA). In domain-fluxing, the bot queries a series
of domain names, but the domain owner registers just one. The Conficker,
Kraken, and Torpig botnets all use this method of evasion.

To get to the C&C for these types of botnets, researchers typically have
to reverse-engineer the bot malware and then figure out the domains that
are generated regularly in order to register them as a way to infiltrate
the botnet. But that process is time-consuming and resource-intensive,
researchers say.

Zhang recently came up with a way to graph failed DNS queries in order
to root out these types of botnets. "The basic idea of our approach is
to observe and analyze DNS failures to identify and pinpoint domain-flux
botnets, which tend to generate a large amount of failed DNS queries,"
Zhang says. He and his research team basically map all of the failed DNS
queries and then extract the most dominant subgraphs, he says.


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.