From throw-away traffic to bots: Detecting the rise of DGA-based malware

Proceedings of the 21st USENIX Security Symposium

Volumn , Issue , 2012, Pages 491-506

  Antonakakis, Manos ^a,c   Perdisci, Roberto ^b,c   Nadji, Yacin ^c   Vasiloglou, Nikolaos ^a   Abu Nimeh, Saeed ^a   Lee, Wenke ^c   Dagon, David ^c  

^a Damballa Inc   (United States)

^b UNIVERSITY OF GEORGIA   (United States)

^c GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BOTNET; COMMAND AND CONTROL SYSTEMS; COMPUTER VIRUSES; RANDOM NUMBER GENERATION; REVERSE ENGINEERING; TECHNOLOGY TRANSFER; VIRUSES;

BOTNET DETECTIONS; CLASSIFICATION ALGORITHM; COMMAND AND CONTROL; DETECTION APPROACH; DOMAIN DISCOVERY; GENERATION ALGORITHM; PROTOTYPE SYSTEM; VIRUS DETECTION;

CLUSTERING ALGORITHMS;

EID: 85068676628     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (46)

1. K. Aas and L. Eikvil. Text categorisation: A survey., 1999.
2. abuse.ch. ZeuS Gets More Sophisticated Using P2P Techniques. http://www.abuse.ch/?p=3499, 2011.
3. M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In the Proceedings of 19th USENIX Security Symposium (USENIX Security’10), 2010.
4. M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon. Detecting malware domains in the upper DNS hierarchy. In the Proceedings of 20th USENIX Security Symposium (USENIX Security’11), 2011.
5. BankPatch. Trojan.Bankpatch.C. http://www.symantec.com/security_ response/writeup.jsp?docid= 2008-081817-1808-99&tabid=2, 2009.
6. L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of NDSS, 2011.
7. R. Feldman and J. Sanger. The text mining handbook: advanced approaches in analyzing unstructured data. Cambridge Univ Pr, 2007.
8. R. Finones. Virus:Win32/Expiro.Z. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? Name=Virus%3AWin32%2FExpiro.Z, 2011.
9. Y. Freund and L. Mason. The alternating decision tree learning algorithm. In Proceedings of the Sixteenth International Conference on Machine Learning, ICML’99, 1999.
10. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proc. USENIX Security, 2007.
11. M. Geide. Another trojan bamital pattern. http://research.zscaler.com/2011/05/ another-trojan-bamital-pattern. html, 2011.
12. S. Golovanov and I. Soumenkov. TDL4 top bot. http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot, 2011.
13. G. Gu, R. Perdisci, J. Zhang, and W. Lee. Bot-Miner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In USENIX Security, 2008.
14. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Network and Distributed System Security Symposium (NDSS), 2008.
15. J. Hermans. MozillaWiki TLD List. https://wiki.mozilla.org/TLD_List, 2006.
16. S. Krishnan and F. Monrose. Dns prefetching and its privacy implications: when good things go bad. In Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET’10, pages 10–10, Berkeley, CA, USA, 2010. USENIX Association.
17. L. I. Kuncheva. Combining Pattern Classifiers: Methods and Algorithms. Wiley-Interscience, 2004.
18. M. H. Ligh, S. Adair, B. Hartstein, and M. Richard. Malware Analyst’s Cookbook and DVD, chapter 12. Wiley, 2010.
19. P. Mockapetris. Domain names - concepts and facilities. http://www.ietf.org/rfc/rfc1034.txt, 1987.
20. P. Mockapetris. Domain names - implementation and specification. http://www.ietf.org/rfc/rfc1035.txt, 1987.
21. M. Newman. Networks: an introduction. Oxford University Press, 2010.
22. A. Y. Ng, M. I. Jordan, and Y. Weiss. On spectral clustering: Analysis and an algorithm. In Advances In Neural Information Processing Systems, pages 849–856. MIT Press, 2001.
23. P. Porras, H. Saidi, and V. Yegneswaran. An analysis of conficker’s logic and rendezvous points. http://mtc.sri.com/Conficker/, 2009.
24. D. Pelleg and A. W. Moore. X-means: Extending k-means with efficient estimation of the number of clusters. In Proceedings of the Seventeenth International Conference on Machine Learning, ICML ’00, pages 727–734, San Francisco, CA, USA, 2000. Morgan Kaufmann Publishers Inc.
25. C. POLSKA. ZeuS P2P+DGA variant mapping out and understanding the threat. http://www.cert.pl/news/4711/ langswitch_lang/en, 2012.
26. P. Porras. Inside risks: Reflections on conficker. Communications of the ACM, 52:23–24, October 2009.
27. P. Porras, H. Saidi, and V. Yegneswaran. Conficker C analysis. Technical report, SRI International, Menlo Park, CA, April 2009.
28. L. R. Rabiner. Readings in speech recognition. chapter A tutorial on hidden Markov models and selected applications in speech recognition. 1990.
29. P. Royal. Analysis of the kraken botnet. http://www.damballa.com/downloads/r_pubs/KrakenWhitepaper.pdf, 2008.
30. S. Shevchenko. Srizbi domain generator calculator. http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html, 2008.
31. S. Shevchenko. Domain name generator for murofet. http://blog.threatexpert.com/2010/10/ domain-name-generator-for-murofet. html, 2010.
32. SOPHOS. Mal/Simda-C. http://www.sophos.com/en-us/ threat-center/threat-analyses/ viruses-and-spyware/MalSimda-C/ detailed-analysis.aspx, 2012.
33. J. Stewart. Bobax trojan analysis. http://www.secureworks.com/research/ threats/bobax/, 2004.
34. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, pages 635–647, New York, NY, USA, 2009. ACM.
35. S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich. Analysis of the storm and nugache trojans: P2P is here. In USENIX;login:, vol. 32, no. 6, December 2007.
36. T.-F. Yen and M. K. Reiter. Are your hosts trading or plotting? Telling P2P file-sharing and bots apart. In ICDCS, 2010.
37. R. Villamarin-Salomon and J. Brustoloni. Identifying botnets using anomaly detection techniques applied to dns traffic. In 5th Consumer Communications and Networking Conference, 2008.
38. Wikipedia. The storm botnet. http://en.wikipedia.org/wiki/Storm_botnet, 2010.
39. J. Williams. What we know (and learned) from the waledac takedown. http://tinyurl.com/ 7apnn9b, 2010.
40. J. Wolf. Technical details of srizbi’s domain generation algorithm. http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generationalgorithm.html, 2008. Retreived: April, 10 2010.
41. J. Wong. Trojan:Java/Boonana. http://www.microsoft.com/security/ portal/Threat/Encyclopedia/Entry. aspx?Name=Trojan%3AJava%2FBoonana, 2011.
42. S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th annual Conference on Internet Measurement, IMC’10, pages 48–61, New York, NY, USA, 2010. ACM.
43. S. Yadav and A. N. Reddy. Winning with dns failures: Strategies for faster botnet detection. In 7th International ICST Conference on Security and Privacy in Communication Networks, 2011.
44. T.-F. Yen and M. K. Reiter. Traffic aggregation for malware detection. In Proc. International conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2008.
45. B. Zdrnja. Google Chrome and (weird) DNS requests. http://isc.sans.edu/diary/Google+Chrome+and+weird+DNS+ requests/10312, 2011.
46. J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, and X. Luo. Detecting stealthy P2P botnets using statistical traffic fingerprints. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Dependable Computing and Communication Symposium, 2011.