DNS as carrier for botnet C&C

Botnets have become one of the biggest security issues on the Internet imposing a variety of threats to Internet users. Advances in malware research have challenged botnet operators to improve the resilience of their C&C traffic. Partly, this has been achieved by moving towards decentralized structures (like P2P) or by otherwise obfuscating and even encrypting communication.

Recently, Christian Rossow and me, we looked into what we term covert communication, that is command and control communication which is hidden in what seems to be regular Internet traffic. We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14 million DNS transactions of 42,143 malware samples concerning DNS C&C usage. Interestingly, this analysis revealed yet another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Our paper dealing with DNS as carrier for botnet command and control channels got accepted at this year's EC2ND conference. I will be presenting the results at EC2ND which is going to take place in Gothenburg, Sweden, September 6-7 at Chalmers University.