Tracking and Characterizing Botnets Using Automatically Generated Domains presented at HITBSecConf Malaysia 2013

by Stefano Zanero,

Summary : Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures that are difficult to track or deactivate. Considerable attention has been given to recognizing automatically generated domains (AGDs) from DNS traffic, in order to identify previously unknown AGDs, which helps in the task of
disrupting botnets’ communication capabilities.
Unfortunately, until now such approaches would require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. Instead, we propose a system that exploits publicly available and privacy-preserving databases of historical recursive-level DNS traffic. Analyzing such data through linguistic-based models of suspicious domains, we are able to identify automatically generated domain names, characterize their DGAs, isolate logical groups of domains that represent the respective botnets, enrich those groups with new previously unknown automatically generated domain names, and produce novel knowledge about the evolving behavior of each tracked botnet.
We evaluated our approach on millions of real-world domains, and showed that it correctly isolates families of automatically generated domains that belong to distinct DGAs, and distinguishes automatically generated from non-automatically generated domains in 94.8 percent of the cases. We will show several case studies of our system at work.
This is the result of a joint project between Politecnico di Milano and Royal Holloway University of London, with the help of Dr. Lorenzo Cavallaro and Dr. Federico Maggi