On botnets that use DNS for command and control

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

On botnets that use DNS for command and control
On-Botnets-that-use-DNS-for-Command-and-Control.png
Botnet Feederbot, Agobot, Koobface, Rbot, Sality, Sdbot, Swizzor, Virut, Zbot
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 /
Editor/Conference Institute for Internet Security University of Applied Sciences Gelsenkirchen Gelsenkirchen, Germany
Link http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf (Archive copy)
Author Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann
Type

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Bibtex

 @misc{Dietrich2011BFR920,
   editor = {Institute for Internet Security University of Applied Sciences Gelsenkirchen Gelsenkirchen, Germany},
   author = {Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann},
   title = {On botnets that use DNS for command and control},
   date = {22},
   month = Feb,
   year = {2011},
   howpublished = {\url{http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf}},
 }