On botnets that use DNS for command and control

Christian J. Dietrich; Christian Rossow; Felix C. Freiling; Herbert Bos; Maarten van Steen; Norbert Pohlmann

doi:10.1109/EC2ND.2011.16

On botnets that use DNS for command and control

Christian J. Dietrich^*, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

99 Citations (Scopus)

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Original language	English
Title of host publication	2011 7th European Conference on Computer Network Defense, EC2ND 2011
Place of Publication	Piscataway
Publisher	IEEE
Pages	9-16
Number of pages	8
ISBN (Electronic)	978-0-7695-4762-6
ISBN (Print)	978-1-4673-2116-7
DOIs	https://doi.org/10.1109/EC2ND.2011.16
Publication status	Published - 1 Dec 2012
Externally published	Yes
Event	7th European Conference on Computer Network Defense, EC2ND 2011 - Gothenburg, Sweden Duration: 6 Sept 2011 → 7 Sept 2011 Conference number: 7

Conference

Conference	7th European Conference on Computer Network Defense, EC2ND 2011
Abbreviated title	EC2ND 2011
Country/Territory	Sweden
City	Gothenburg
Period	6/09/11 → 7/09/11

Keywords

Botnet detection
Command and control
DNS
Malware detection

Access to Document

10.1109/EC2ND.2011.16

Cite this

@inproceedings{a46d4df2bae34ff2b9a68b21611480f5,

title = "On botnets that use DNS for command and control",

abstract = "We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.",

keywords = "Botnet detection, Command and control, DNS, Malware detection",

author = "Dietrich, {Christian J.} and Christian Rossow and Freiling, {Felix C.} and Herbert Bos and {van Steen}, Maarten and Norbert Pohlmann",

year = "2012",

month = dec,

day = "1",

doi = "10.1109/EC2ND.2011.16",

language = "English",

isbn = "978-1-4673-2116-7",

pages = "9--16",

booktitle = "2011 7th European Conference on Computer Network Defense, EC2ND 2011",

publisher = "IEEE",

address = "United States",

note = "7th European Conference on Computer Network Defense, EC2ND 2011, EC2ND 2011 ; Conference date: 06-09-2011 Through 07-09-2011",

}

Dietrich, CJ, Rossow, C, Freiling, FC, Bos, H, van Steen, M & Pohlmann, N 2012, On botnets that use DNS for command and control. in 2011 7th European Conference on Computer Network Defense, EC2ND 2011., 6377756, IEEE, Piscataway, pp. 9-16, 7th European Conference on Computer Network Defense, EC2ND 2011, Gothenburg, Sweden, 6/09/11. https://doi.org/10.1109/EC2ND.2011.16

TY - GEN

T1 - On botnets that use DNS for command and control

AU - Dietrich, Christian J.

AU - Rossow, Christian

AU - Freiling, Felix C.

AU - Bos, Herbert

AU - van Steen, Maarten

AU - Pohlmann, Norbert

N1 - Conference code: 7

PY - 2012/12/1

Y1 - 2012/12/1

N2 - We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

AB - We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

KW - Botnet detection

KW - Command and control

KW - DNS

KW - Malware detection

UR - http://www.scopus.com/inward/record.url?scp=84872228595&partnerID=8YFLogxK

U2 - 10.1109/EC2ND.2011.16

DO - 10.1109/EC2ND.2011.16

M3 - Conference contribution

AN - SCOPUS:84872228595

SN - 978-1-4673-2116-7

SP - 9

EP - 16

BT - 2011 7th European Conference on Computer Network Defense, EC2ND 2011

PB - IEEE

CY - Piscataway

T2 - 7th European Conference on Computer Network Defense, EC2ND 2011

Y2 - 6 September 2011 through 7 September 2011

ER -

On botnets that use DNS for command and control

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this