ABSTRACT
In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.
- --. The conficker working group. http://bit.ly/1kAYsJA, Nov 2012.Google Scholar
- M. Andrews. Negative caching of DNS queries (DNS NCACHE). RFC 2308, 1998. Google ScholarDigital Library
- M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor. A centralized monitoring infrastructure for improving dns security. In RAID, pages 18--37, 2010. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for dns. In USENIX Security Symposium, pages 273--290, 2010. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou II, and D. Dagon. Detecting malware domains at the upper dns hierarchy. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In USENIX Security, 2012. Google ScholarDigital Library
- L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS. The Internet Society, 2011.Google Scholar
- D. Bleaken. Botwars: the fight against criminal cyber networks. Comp. Fraud & Sec., 2010.Google ScholarCross Ref
- D. Dagon, M. Antonakakis, K. Day, X. Luo, C. P. Lee, and W. Lee. Recursive dns architectures and vulnerability implications. In NDSS. The Internet Society, 2009.Google Scholar
- M. Felegyhazi, C. Kreibich, and V. Paxson. On the potential of proactive domain blacklisting. In USENIX LEET, 2010. Google ScholarDigital Library
- K. Griffin, S. Schneider, X. Hu, and T.-c. Chiueh. Automatic generation of string signatures for malware detection. In RAID, pages 101--120. Springer, 2009. Google ScholarDigital Library
- N. Jiang, J. Cao, Y. Jin, E. L. Li, and Z.-L. Zhang. Identifying suspicious activities through dns failure graph analysis. In ICNP, pages 144--153, 2010. Google ScholarDigital Library
- M. Lelarge and J. Bolot. Economic incentives to increase security in the internet: The case for insurance. In IEEE INFOCOM, pages 1494--1502, 2009.Google ScholarCross Ref
- P. Mockapetris. Domain names: implementation and specification (november 1987). RFC 1035, 2004. Google ScholarDigital Library
- A. Mohaisen and O. Alrawi. Unveiling zeus: automated classification of malware samples. In WWW (Companion Volume), pages 829--832, 2013. Google ScholarDigital Library
- Y. Nadji, M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee. Beheading hydras: performing effective botnet takedowns. In ACM CCS, pages 121--132, 2013. Google ScholarDigital Library
- J. Nazario and T. Holz. As the net churns: Fast-flux botnet observations. In IEEE MALWARE, pages 24--31, 2008.Google ScholarCross Ref
- P. Porras, H. Saidi, and V. Yegneswaran. Conficker c analysis. SRI International, 2009.Google Scholar
- C. Roach. Flashback and mac malware. http://bit.ly/1aC1qar, April 2012.Google Scholar
- S. Shin and G. Gu. Conficker and beyond: a large-scale empirical study. In ACSAC, 2010. Google ScholarDigital Library
- B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In ACM CCS, pages 635--647, 2009. Google ScholarDigital Library
- S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In ACM IMC, pages 48--61, 2010. Google ScholarDigital Library
Index Terms
- Kindred domains: detecting and clustering botnet domains using DNS traffic
Recommendations
Monitoring the initial DNS behavior of malicious domains
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAttackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS ...
Domain-Checker: A Classification of Malicious and Benign Domains Using Multitier Filtering
AbstractThe loopholes of Internet are exploited by cyber-attackers to forward spam, commit fiscal frauds, execute phishing, wallow in command-and-control, spread malware, and other malevolent activities. Many times, these cyber-attacks are conducted ...
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and ProgrammingBonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Comments