On botnets that use DNS for command and control

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

On botnets that use DNS for command and control
On-Botnets-that-use-DNS-for-Command-and-Control.png
Botnet Feederbot, Agobot, Koobface, Rbot, Sality, Sdbot, Swizzor, Virut, Zbot
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 /
Editor/Conference Institute for Internet Security University of Applied Sciences Gelsenkirchen Gelsenkirchen, Germany
Link http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf (Archive copy)
Author Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann
Type

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR920,
   editor = {Institute for Internet Security University of Applied Sciences Gelsenkirchen Gelsenkirchen, Germany},
   author = {Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann},
   title = {On botnets that use DNS for command and control},
   date = {29},
   month = May,
   year = {2011},
   howpublished = {\url{http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf}},
 }