Detection of malicious payload distribution channels in DNS

Author

Kara, A. Mert ; Binsalleeh, Hamad ; Mannan, Mohammad ; Youssef, Amira ; Debbabi, Mourad

Author_Institution

Nat. Cyber Forensics & Training Alliance, Canada

fYear

2014

fDate

10-14 June 2014

Firstpage

853

Lastpage

858

Abstract

Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribution channel. We present a system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of passive DNS traffic. The experimental results reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads. Our experiments on passive DNS traffic indicate that our system can detect these channels regardless of the payload format.

Keywords

computer network security; invasive software; protocols; telecommunication traffic; Botmasters; DNS traffic; Morto worm; domain name system; malicious activities; malicious payload distribution channel; malicious payload distribution channel detection; malware datasets; passive DNS traffic; protocols; resource record activities; Databases; Malware; Payloads; Protocols; Servers; Syntactics; Tunneling;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications (ICC), 2014 IEEE International Conference on

Conference_Location

Sydney, NSW

Type

conf

DOI

10.1109/ICC.2014.6883426

Filename

6883426