Researchers at Texas A&M University say they have a new method for finding domain-fluxing botnets, which evade detection by constantly alternating domain names. Dr. Narasimha Reddy, who works in the University's Department of Electrical and Computer Engineering, collaborated with student Sandeep Yadav and Ashwath Reddy, as well as with Supranamaya "Soups" Ranjan with Narus Inc., to develop the new method. It can be used to detect botnets like Conficker, Kraken and Torpig, which use the so-called DNS domain-fluxing…
Read full story: Network World
Related topics: Cybercrime, DNS, Domain Names, Malware, Security
To post comments, please login or create an account.
IPv6Sponsored byNominum | |
SecuritySponsored byVerisign | |
DNS SecuritySponsored byAfilias | |
MobileSponsored bydotMobi | |
DNSSponsored byNeustar UltraDNS | |
Top-Level DomainsSponsored byMinds + Machines |
Lexical analysis of domains to detect randomly created (hence, likely bad) domains is not very workable, and might work for, at the most, a few of the more amateurishly coded botnets. Or for those botnets whose domain creation algos are already reverse engineered.
This has limited utility in terms of the noise it generates (for example domain names transliterated from chinese, finnish etc, or domain names that are words with vowels removed / with alternate spellings..). Yes there'll be signal but just using lexical analysis as the sole criterion = lots and lots of noise.
And its not a particularly new concept so I seriously dont know what this team from TAMU has accomplished that's actually newsworthy.
The full paper is at http://www.ee.tamu.edu/~reddy/papers/imc2010-yadav.pdf btw.