Security researchers this week will detail a prototype system they say can better detect so-called Domain Name Generation- (DGA) based botnets such as Conficker and Kraken without the usual labor- and time-intensive reverse-engineering required to find and defeat such malware.
The detection system, called Pleiades, monitors traffic below the local DNS server and analyzes streams of unsuccessful DNS resolutions, according to University of Georgia and Georgia Institute of Technology who will present a paper on Pleiades at this week's Usenix Security conference in Bellevue, WA. The idea is to detect such malware before its handlers can change, encrypt or otherwise hide it.
"Pleiades is placed "below" the local recursive DNS server or at the edge of a network to monitor DNS query/response messages from/to the machines within the network. Specifically, Pleiades analyzes DNS queries for domain names that result in Name Error responses, also called NXDOMAIN responses, i.e., domain names for which no IP addresses (or other resource records) exist. The focus on NXDomains is motivated by the fact that modern DGA bots tend to query large sets of domain names among which relatively few successfully resolve to the IP address of the Command and Control server," the researchers stated. "To automatically identify DGA domain names, Pleiades searches for relatively large clusters of NXDomains that have similar syntactic features, and are queried by multiple potentially compromised machines during a given epoch."
The researchers said that Pleiades is able to automatically identify and filter out "accidental", user-generated NXDomains due to typos or mis-configurations. "When Pleiades finds a cluster of NXDomains, it applies statistical learning techniques to build a model of the DGA. This is used later to detect future compromised machines running the same DGA and to detect active domain names that "look similar" to NXDomains resulting from the DGA and therefore probably point to the botnet Command and Control server's address."
According to the researchers they deployed and evaluated the Pleiades prototype in a large production ISP network for a period of 15 months. "Our experiments discovered twelve new DGA-based botnets and enumerated the compromised machines. Half of these new DGAs have never been reported before."
In those 15 months (2010 through part of 2012) of our observations we observed an average population of 742 Conficker infected hosts in the ISP network. The infamous Conficker worm is one of the most aggressive pieces of malware with respect to domain name generation. The "C" variant of the worm generated 50,000 domains per day. However, Conficker-C only queried 500 of these domains every 24 hours. In older variants of the worm, A and B, the worm cycled through the list of domains every three and two hours, respectively, the researchers stated.
Murofet had the second largest population of infected hosts at 92 per day, while the Boonana DGA comes third with an average population of 84 infected hosts per day. The fastest growing DGA is Zeus v3 with an average population of 50 hosts per day, however, during the last four days of the experiments the Zeus.v3 DGA had an average number of 134 infected hosts. It is worth noting the what the researchers called the unidentified "New-DGA-v1" had an average of 19 hosts per day, the most populous of the newly identified DGAs.
The researchers went on to note that Pleiades has some limitations. For example, once a new DGA is discovered, Pleiades can build fairly accurate statistical models of how the domains generated by the DGA "look like", but it is unable to learn or reconstruct the exact domain generation algorithm. Therefore, Pleiades will generate a certain number of false positives and false negatives, the researchers noted.
Layer 8 Extra
Check out these other hot stories: