http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/229206169/tracking-the-botnet-s-dns-trail.html By Kelly Jackson Higgins Darkreading Feb 08, 2011 A researcher is looking at mapping trends in Domain Name System (DNS) queries to better pinpoint stealthy botnet activity and ultimately the botnet's command and control (C&C) infrastructure. Zhi-Li Zhang, a professor at the University of Minnesota, is looking at new methods for detecting botnets that try to hide behind alternating domain names in what's called DNS domain-fluxing -- also known as domain generation algorithm (DGA). In domain-fluxing, the bot queries a series of domain names, but the domain owner registers just one. The Conficker, Kraken, and Torpig botnets all use this method of evasion. To get to the C&C for these types of botnets, researchers typically have to reverse-engineer the bot malware and then figure out the domains that are generated regularly in order to register them as a way to infiltrate the botnet. But that process is time-consuming and resource-intensive, researchers say. Zhang recently came up with a way to graph failed DNS queries in order to root out these types of botnets. "The basic idea of our approach is to observe and analyze DNS failures to identify and pinpoint domain-flux botnets, which tend to generate a large amount of failed DNS queries," Zhang says. He and his research team basically map all of the failed DNS queries and then extract the most dominant subgraphs, he says. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Tue Feb 08 2011 - 23:27:36 PST
This archive was generated by hypermail 2.2.0 : Tue Feb 08 2011 - 23:32:42 PST