Title :
Detection of malicious payload distribution channels in DNS
Author :
Kara, A. Mert ; Binsalleeh, Hamad ; Mannan, Mohammad ; Youssef, Amira ; Debbabi, Mourad
Author_Institution :
Nat. Cyber Forensics & Training Alliance, Canada
Abstract :
Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribution channel. We present a system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of passive DNS traffic. The experimental results reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads. Our experiments on passive DNS traffic indicate that our system can detect these channels regardless of the payload format.
Keywords :
computer network security; invasive software; protocols; telecommunication traffic; Botmasters; DNS traffic; Morto worm; domain name system; malicious activities; malicious payload distribution channel; malicious payload distribution channel detection; malware datasets; passive DNS traffic; protocols; resource record activities; Databases; Malware; Payloads; Protocols; Servers; Syntactics; Tunneling;
Conference_Titel :
Communications (ICC), 2014 IEEE International Conference on
Conference_Location :
Sydney, NSW
DOI :
10.1109/ICC.2014.6883426
