Download presentation
Presentation is loading. Please wait.
1
Detecting DGA Botnets Using DNS Traffic
Han Zhang (Salesforce) Christos Papadopoulos (Colorado State University) Calvin Ardi (University of Southern California/ISI) John Heidemann (University of Southern California/ISI) 1
2
Outline Introduction Why Use DNS for Bot Detection
BotDigger Methodology BotDigger Deployment Discussion Future Work 1 1
3
Botnets Botnets can be used to perform many attacks: Monetary losses:
FBI: “Botnets have caused over $9 billion in losses to U.S. victims and over $110 billion in losses globally.” U.S. Justice Department: “Botnet Gameover Zeus is responsible for more than $100 million in losses” Attack Botnets Spam Conficker, Kraken DDoS BlackEnergy, MrBlack Click Fraud ZeroAccess, Chameleon Ransomware Vundo, Gameover ZeuS Steal Data Sinowal, Alureon 2 1
4
Botnets A set of infected computers (bots), following the same commands from bot master via command & control (C&C) channels Enterprise Network A Public Internet Bot Master Enterprise Network B bot bot bot bot 3 1
5
Traditional HTTP-based Botnets
Rendezvous with a C&C domain C&C domain was hardcoded in binary C&C domain can be extracted and blacklisted DNS Server IP for sends packets to Hardcoded C&C server: Bot C&C server 4
6
Advanced Botnets - DGA Botnets
Generate C&C domains dynamically based on Domain Generation Algorithm (DGA) DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for jlrjldt.tw? Not Exist Bot C&C server 5
7
Advanced Botnets - DGA Botnets
DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for faltmzlss.be? Not Exist Bot C&C server 6
8
Advanced Botnets - DGA Botnets
DNS Server DGA domains jlrjldt.tw faltmzlss.be hshpvi.co.vi ltlq.to bfxovk.us zrozexae.fr duohkfes.ch sobsgmob.sk tfxbpxi.com.hn IP for hshpvi.co.vi? sends packets to Bot C&C server 7
9
Using DNS to Detect DGA Botnets 8
10
Why DNS? DGA bots have to query IPs for the C&C domains
DGA bots have unique DNS traffic pattern Amount of DNS traffic is relatively small, enabling sophisticated analysis compared to deep packet analysis Bots can be detected immediately after they are infected 9
11
Limitations of Prior Work
Prior work relies on knowledge from a group of bots: A single enterprise network may not have multiple bots Requires data collected from multiple networks, or an upper level DNS server Need: Detect single bot using DNS traffic captured from a single enterprise network Prior Work Data Requirements Pleiades [1] DNS traffic from a large ISP Notos [2] DNS traffic from multiple RDNS servers Kopis [3] DNS traffic from upper level servers Yadav, et al [4] Reverse DNS crawl of the entire IPv4 space [1] M. Antonakakis, et al. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware [2] M. Antonakakis, et al, Building a Dynamic Reputation System for DNS 10 [3] M. Antonakakis,et al, Detecting Malware Domains at the Upper DNS Hierarchy. [4] S. Yadav et al, Detecting Algorithmically Generated Malicious Domain Names 1
12
Methodology 11
13
Ideas behind BotDigger
DGA bots have unique DNS traffic pattern Quantity: Query a large number of NXDomains Temporal: Different rates of querying suspicious NXDomains Linguistic: DGA NXDomains and C&C domains have similar linguistic attributes 12
14
BotDigger Overview DNS Quantity Traffic Evidence Aggregation Temporal
Suspicious NXDomain Filters Temporal Evidence C&C IP & Domains Linguistic Evidence Detected Bots 13
15
Quantity Evidence Most hosts are legitimate, sending small number of suspicious NXDomains Bot is the outlier in terms of suspicious NXDomains Blend a bot with one hour university DNS traffic Bot 14
16
Temporal Evidence The number of suspicious NXDomains increases quickly when the bot begins to look for the C&C domain The number of suspicious NXDomains increases slowly or stops increasing when the bot hits the C&C domain Bot 15
17
Linguistic Evidence DGA NXDomains have similar linguistic attributes
C&C domains share similar attributes with NXDomains NXDomains queried by a DGA bot: dyayxsgsv.net, yylnfnwjqb.com wdzitdojre.dyndns.org, svahvjnve.net mudvpcrwhgj.com, qzudjqxkykxs.com Linguistic Attributes: For most domains: no dictionary word Number of distinct digitals in 2LD is 0 Number of distinct chars in 2LD is between 7-11 The corresponding C&C doamin: kyqqnrkwijs.dyndns.org 16
18
Detecting C&C IPs and Domains
DNS Traffic Quantity Evidence Aggregation Suspicious NXDomain Filters Temporal Evidence C&C IP & Domains Linguistic Evidence Detected Bots 17
19
Aggregation - Reduce False Positives
Detected Bots Look for the IPs that are mapped to more than 10 C&C domain candidates in the past 30 days. C&C Domain/IP Candidates jstmvtwpvje.ws, fpaczhbapaj.ws, jjxzom.ws, ptqonlsb.ws, jfacv.ws,nqfnl.ws,zlccabhd.ws, gdcrt.ws,idkfxn.ws,ldotxcjags.ws xltlngki.ws, fhdbllt.ws,dundfgfh.ws History Information C&C Domain/IP 18 1
20
Evaluation - Bot Traces
140 Kraken Bots 1000 Simulated Conficker Bots Detect 100% Kraken and 99.9% Conficker bots. 19 1
21
Evaluation - University Trace
Dataset: one week of campus DNS traffic Results: 33 out of (0.16%) hosts labeled as bot candidates Validation: Check C&C domain candidates and IP addresses through VirusTotal and TrustedSource 22 out of 33 bot candidates labeled suspicious False positives are at most 11 hosts 20 1
22
BotDigger Deployment 21
23
BotDigger Deployment Deployed at Colorado State University, USC/ISI, LANL, and Northrop Grumman Open source on GitHub Modes of Operation Real-time detection Offline-line detection Deployment is easy, BotDigger only needs DNS traffic from a single network 22 1
24
Deployment at Colorado State University
Deployed at CSU at December, 2016 Operated by NetSec group at CSU CSU network has more than 20,000 users Detected 3630 C&C domains 23 1
25
BotDigger Deployment at CSU
Network RDNS Mirror port DNS traffic RDNS Internet BotDigger RDNS Mirror port DNS traffic RDNS 24 1
26
Deployment at USC/ISI, LANL, and Northrop Grumman
Operated by Calvin Ardi (USC) Botnet activity lists generated at CSU Securely distributed to USC/ISI, LANL, and Northrop Grumman Via Retro-Future for authentication, authorization, privacy Evaluated against local DNS traffic at each site 25 1
27
Deployment at USC/ISI Between Feb-14-2017- and Apr-15-2017
Do sites see possible malicious activity that CSU detected? USC/ISI finds matches in local DNS traffic 29 distinct domains resolving to 2 IPs 1 additional domain seen by both CSU and USC/ISI 26
28
Discussion 27
29
What Botnets Can BotDigger Detect?
Old botnets (Kraken and Conficker.C) are used for evaluation Can BotDigger detect other more recent botnets? C&C IP Detected by BotDigger Botnet Bedep botnet , , Necrus botnet to distribute Locky ransomware Revived PushDo botnet with DGA capability, to distribute CryptoWall Ransomware Conficker Conficker.B 28
30
Can BotDigger Detect New C&C Domains?
CSU deployment: 3630 C&C domains were detected since December, 2016 We checked all of these domains at VirusTotal via their Rest API 2478 domains are labeled as malicious 1152 (31.7%) out of 3630 domains are new These domains are mapped to the detected C&C IPs They are random-looking and are very similar as the other labeled malicious 2478 domains 29 1
31
Can BotDigger Detect New Botnets?
Observations: The domains are composed of a set of dictionary words: louis, vuitton, coach, outlet, factory, store Many domain contain typos (e.g., coachh, outlete, storee, etc) NXDomains queried by a labeled host BotDigger is capable of detecting hosts whose queried domains are generated from a set of dictionary words, which can be used by future smart botnets 30
32
False Positives southyellowstonelodging.com,grandtetoncabins.com, yellowstonelodging.ws,duboiswyoming.net, yellowstoneparkreservations.org,yellowstonevacationhomes.org, wyomingbedandbreakfast.net,yellowstoneparklodging.org, southyellowstonecabins.com, 31 1
33
Future Work Reduce false positives
Deploy BotDigger at more enterprises and universities Continue sharing the bot lists Build a platform for information sharing (e.g., C&C domains and IPs) Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Support more formats (e.g., dns.log) 32
34
Thanks BotDigger is available at GitHub:
Sharing bot lists captured from multiple networks: Thanks 33
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.