Monitoring a Fast Flux botnet using recursive and passive DNS: A case study presented at ecrime 2013

by Dhia Mahjoub.,

Summary : Despite having been around for years, fast flux is still being used by cybercriminals as an evasion technique to maintain their operations online at all time. In this case study, we describe how we monitor the evolution of a fast flux botnet in real time using recursive and in-house passive DNS. We focus on a sample of the kelihos botnet: we track how it grows its population of infected hosts over time, and detect the new fast flux domains hosted by the botnet as soon as they appear in our DNS traffic. These domains are serving various types of malware and trojans. We present several results on the hosts’ geographical distribution, operating system breakdown, botnet size fluctuation over the course of the day, the malicious domains DNS traffic patterns, and the type of usage of the domains by malware.