Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting DGA Botnets Using DNS Traffic

Published byEmil Pearson Modified over 7 years ago

Similar presentations

Presentation on theme: "Detecting DGA Botnets Using DNS Traffic"— Presentation transcript:

1 Detecting DGA Botnets Using DNS Traffic
Han Zhang (Salesforce) Christos Papadopoulos (Colorado State University) Calvin Ardi (University of Southern California/ISI) John Heidemann (University of Southern California/ISI) 1

2 Outline Introduction Why Use DNS for Bot Detection
BotDigger Methodology BotDigger Deployment Discussion Future Work 1 1

3 Botnets Botnets can be used to perform many attacks: Monetary losses:
FBI: “Botnets have caused over $9 billion in losses to U.S. victims and over $110 billion in losses globally.” U.S. Justice Department: “Botnet Gameover Zeus is responsible for more than $100 million in losses” Attack Botnets Spam Conficker, Kraken DDoS BlackEnergy, MrBlack Click Fraud ZeroAccess, Chameleon Ransomware Vundo, Gameover ZeuS Steal Data Sinowal, Alureon 2 1

4 Botnets A set of infected computers (bots), following the same commands from bot master via command & control (C&C) channels Enterprise Network A Public Internet Bot Master Enterprise Network B bot bot bot bot 3 1

5 Traditional HTTP-based Botnets
Rendezvous with a C&C domain C&C domain was hardcoded in binary C&C domain can be extracted and blacklisted DNS Server IP for sends packets to Hardcoded C&C server: Bot C&C server 4

6 Advanced Botnets - DGA Botnets
Generate C&C domains dynamically based on Domain Generation Algorithm (DGA) DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for jlrjldt.tw? Not Exist Bot C&C server 5

7 Advanced Botnets - DGA Botnets
DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for faltmzlss.be? Not Exist Bot C&C server 6

8 Advanced Botnets - DGA Botnets
DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for hshpvi.co.vi? sends packets to Bot C&C server 7

9 Using DNS to Detect DGA Botnets 8

10 Why DNS? DGA bots have to query IPs for the C&C domains
DGA bots have unique DNS traffic pattern Amount of DNS traffic is relatively small, enabling sophisticated analysis compared to deep packet analysis Bots can be detected immediately after they are infected 9

11 Limitations of Prior Work
Prior work relies on knowledge from a group of bots: A single enterprise network may not have multiple bots Requires data collected from multiple networks, or an upper level DNS server Need: Detect single bot using DNS traffic captured from a single enterprise network Prior Work Data Requirements Pleiades [1] DNS traffic from a large ISP Notos [2] DNS traffic from multiple RDNS servers Kopis [3] DNS traffic from upper level servers Yadav, et al [4] Reverse DNS crawl of the entire IPv4 space [1] M. Antonakakis, et al. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware [2] M. Antonakakis, et al, Building a Dynamic Reputation System for DNS 10 [3] M. Antonakakis,et al, Detecting Malware Domains at the Upper DNS Hierarchy. [4] S. Yadav et al, Detecting Algorithmically Generated Malicious Domain Names 1

12 Methodology 11

13 Ideas behind BotDigger
DGA bots have unique DNS traffic pattern Quantity: Query a large number of NXDomains Temporal: Different rates of querying suspicious NXDomains Linguistic: DGA NXDomains and C&C domains have similar linguistic attributes 12

14 BotDigger Overview DNS Quantity Traffic Evidence Aggregation Temporal
Suspicious NXDomain Filters Temporal Evidence C&C IP & Domains Linguistic Evidence Detected Bots 13

15 Quantity Evidence Most hosts are legitimate, sending small number of suspicious NXDomains Bot is the outlier in terms of suspicious NXDomains Blend a bot with one hour university DNS traffic Bot 14

16 Temporal Evidence The number of suspicious NXDomains increases quickly when the bot begins to look for the C&C domain The number of suspicious NXDomains increases slowly or stops increasing when the bot hits the C&C domain Bot 15

17 Linguistic Evidence DGA NXDomains have similar linguistic attributes
C&C domains share similar attributes with NXDomains NXDomains queried by a DGA bot: dyayxsgsv.net, yylnfnwjqb.com wdzitdojre.dyndns.org, svahvjnve.net mudvpcrwhgj.com, qzudjqxkykxs.com Linguistic Attributes: For most domains: no dictionary word Number of distinct digitals in 2LD is 0 Number of distinct chars in 2LD is between 7-11 The corresponding C&C doamin: kyqqnrkwijs.dyndns.org 16

18 Detecting C&C IPs and Domains
DNS Traffic Quantity Evidence Aggregation Suspicious NXDomain Filters Temporal Evidence C&C IP & Domains Linguistic Evidence Detected Bots 17

19 Aggregation - Reduce False Positives
Detected Bots Look for the IPs that are mapped to more than 10 C&C domain candidates in the past 30 days. C&C Domain/IP Candidates jstmvtwpvje.ws, fpaczhbapaj.ws, jjxzom.ws, ptqonlsb.ws, jfacv.ws,nqfnl.ws,zlccabhd.ws, gdcrt.ws,idkfxn.ws,ldotxcjags.ws xltlngki.ws, fhdbllt.ws,dundfgfh.ws History Information C&C Domain/IP 18 1

20 Evaluation - Bot Traces
140 Kraken Bots 1000 Simulated Conficker Bots Detect 100% Kraken and 99.9% Conficker bots. 19 1

21 Evaluation - University Trace
Dataset: one week of campus DNS traffic Results: 33 out of (0.16%) hosts labeled as bot candidates Validation: Check C&C domain candidates and IP addresses through VirusTotal and TrustedSource 22 out of 33 bot candidates labeled suspicious False positives are at most 11 hosts 20 1

22 BotDigger Deployment 21

23 BotDigger Deployment Deployed at Colorado State University, USC/ISI, LANL, and Northrop Grumman Open source on GitHub Modes of Operation Real-time detection Offline-line detection Deployment is easy, BotDigger only needs DNS traffic from a single network 22 1

24 Deployment at Colorado State University
Deployed at CSU at December, 2016 Operated by NetSec group at CSU CSU network has more than 20,000 users Detected 3630 C&C domains 23 1

25 BotDigger Deployment at CSU
Network RDNS Mirror port DNS traffic RDNS Internet BotDigger RDNS Mirror port DNS traffic RDNS 24 1

26 Deployment at USC/ISI, LANL, and Northrop Grumman
Operated by Calvin Ardi (USC) Botnet activity lists generated at CSU Securely distributed to USC/ISI, LANL, and Northrop Grumman Via Retro-Future for authentication, authorization, privacy Evaluated against local DNS traffic at each site 25 1

27 Deployment at USC/ISI Between Feb-14-2017- and Apr-15-2017
Do sites see possible malicious activity that CSU detected? USC/ISI finds matches in local DNS traffic 29 distinct domains resolving to 2 IPs 1 additional domain seen by both CSU and USC/ISI 26

28 Discussion 27

29 What Botnets Can BotDigger Detect?
Old botnets (Kraken and Conficker.C) are used for evaluation Can BotDigger detect other more recent botnets? C&C IP Detected by BotDigger Botnet Bedep botnet , , Necrus botnet to distribute Locky ransomware Revived PushDo botnet with DGA capability, to distribute CryptoWall Ransomware Conficker Conficker.B 28

30 Can BotDigger Detect New C&C Domains?
CSU deployment: 3630 C&C domains were detected since December, 2016 We checked all of these domains at VirusTotal via their Rest API 2478 domains are labeled as malicious 1152 (31.7%) out of 3630 domains are new These domains are mapped to the detected C&C IPs They are random-looking and are very similar as the other labeled malicious 2478 domains 29 1

31 Can BotDigger Detect New Botnets?
Observations: The domains are composed of a set of dictionary words: louis, vuitton, coach, outlet, factory, store Many domain contain typos (e.g., coachh, outlete, storee, etc) NXDomains queried by a labeled host BotDigger is capable of detecting hosts whose queried domains are generated from a set of dictionary words, which can be used by future smart botnets 30

32 False Positives southyellowstonelodging.com,grandtetoncabins.com, yellowstonelodging.ws,duboiswyoming.net, yellowstoneparkreservations.org,yellowstonevacationhomes.org, wyomingbedandbreakfast.net,yellowstoneparklodging.org, southyellowstonecabins.com, 31 1

33 Future Work Reduce false positives
Deploy BotDigger at more enterprises and universities Continue sharing the bot lists Build a platform for information sharing (e.g., C&C domains and IPs) Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Support more formats (e.g., dns.log) 32

34 Thanks BotDigger is available at GitHub:
Sharing bot lists captured from multiple networks: Thanks 33

Download ppt "Detecting DGA Botnets Using DNS Traffic"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google