Revealing Botnet Membership Using DNSBL Counter-Intelligence

Botnets--networks of (typically compromised) machines--are often used for nefarious activities (e.g., spam, click fraud, denial-of-service attacks, etc.). Identifying members of botnets could help stem these attacks, but passively detecting botnet membership (i.e., without disrupting the operation of the botnet) proves to be difficult. This paper studies the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership. We perform counter-intelligence based on the insight that botmasters themselves perform DNSBL lookups to determine whether their spamming bots are blacklisted. Using heuristics to identify which DNSBL lookups are perpetrated by a botmaster performing such reconnaissance, we are able to compile a list of likely bots. This paper studies the prevalence of DNSBL reconnaissance observed at a mirror of a well-known blacklist for a 45- day period, identifies the means by which botmasters are performing reconnaissance, and suggests the possibility of using counter-intelligence to discover likely bots. We find that bots are performing reconnaissance on behalf of other bots. Based on this finding, we suggest counterintelligence techniques that may be useful for early bot detection.

[1]  J. Elkinton Things that go bump in the night. , 1970, Annals of internal medicine.

[2]  David Brumley Tracking hackers on IRC , 1999 .

[3]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[4]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[5]  Michael D. Smith,et al.  Access for sale: a new class of worm , 2003, WORM '03.

[6]  Emil Sit,et al.  An empirical study of spam traffic and the use of DNS black lists , 2004, IMC '04.

[7]  C. Hanna Using snort to detect rogue IRC bot programs , 2004 .

[8]  Virgílio A. F. Almeida,et al.  Characterizing a spam traffic , 2004, IMC '04.

[9]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[10]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[11]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[12]  G. Conti,et al.  Real-time and forensic network data analysis using animated and coordinated visualization , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[13]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[14]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[15]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[16]  Thomas Dübendorfer,et al.  Analysis of Internet Relay Chat Usage by DDoS Zombies , .