On botnets that use DNS for command and control

Christian J. Dietrich*, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

68 Citations (Scopus)

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Original languageEnglish
Title of host publication2011 7th European Conference on Computer Network Defense, EC2ND 2011
Place of PublicationPiscataway
PublisherIEEE
Pages9-16
Number of pages8
ISBN (Electronic)978-0-7695-4762-6
ISBN (Print)978-1-4673-2116-7
DOIs
Publication statusPublished - 1 Dec 2012
Externally publishedYes
Event7th European Conference on Computer Network Defense, EC2ND 2011 - Gothenburg, Sweden
Duration: 6 Sep 20117 Sep 2011
Conference number: 7

Conference

Conference7th European Conference on Computer Network Defense, EC2ND 2011
Abbreviated titleEC2ND 2011
CountrySweden
CityGothenburg
Period6/09/117/09/11

Keywords

  • Botnet detection
  • Command and control
  • DNS
  • Malware detection

Fingerprint Dive into the research topics of 'On botnets that use DNS for command and control'. Together they form a unique fingerprint.

Cite this