• DocumentCode
    580257
  • Title

    On Botnets That Use DNS for Command and Control

  • Author

    Dietrich, Christian J. ; Rossow, Christian ; Freiling, Felix C. ; Bos, Herbert ; van Steen, Maarten ; Pohlmann, Norbert

  • Author_Institution
    Dept. of Comput. Sci., Friedrich-Alexander Univ., Erlangen, Germany
  • fYear
    2011
  • fDate
    6-7 Sept. 2011
  • Firstpage
    9
  • Lastpage
    16
  • Abstract
    We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.
  • Keywords
    computer network security; invasive software; pattern classification; pattern clustering; DNS transactions; DNS-C&C usage; Euclidean distance based classifier; botnets; feederbot; k-means clustering; mixed office workstation network traffic; Command and control systems; Cryptography; Entropy; Feature extraction; Malware; Protocols; Servers; botnet detection; command and control; dns; malware detection;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Network Defense (EC2ND), 2011 Seventh European Conference on
  • Conference_Location
    Gothenburg
  • Print_ISBN
    978-1-4673-2116-7
  • Type

    conf

  • DOI
    10.1109/EC2ND.2011.16
  • Filename
    6377756
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=580257