Detection of malicious payload distribution channels in DNS

Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribution channel. We present a system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of passive DNS traffic. The experimental results reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads. Our experiments on passive DNS traffic indicate that our system can detect these channels regardless of the payload format.

[1]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[2]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[3]  Koen De Bosschere,et al.  DNS Tunneling for Network Penetration , 2012, ICISC.

[4]  Peipeng Liu,et al.  A Bigram based Real Time DNS Tunnel Detection Approach , 2013, ITQM.

[5]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[6]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[7]  Eric Allman,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2007, RFC.

[8]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[9]  Meng Weng Wong,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 , 2006, RFC.

[10]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[11]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[12]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[13]  Olivier Richard,et al.  On Robust Covert Channels Inside DNS , 2009, SEC.

[14]  John R. Levine DNS Blacklists and Whitelists , 2010, RFC.

[15]  John Kristoff,et al.  Botnets and Packet Flooding DDoS Attacks on the Domain Name System , 2007 .

[16]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[17]  Richard L. Rosenbaum Using the Domain Name System To Store Arbitrary String Attributes , 1993, RFC.

[18]  Michael C. Richardson,et al.  Opportunistic Encryption using the Internet Key Exchange (IKE) , 2005, RFC.

[19]  Kwan-Wu Chin,et al.  On the viability and performance of DNS tunneling , 2008 .

[20]  Maurizio Aiello,et al.  A Comparative Performance Evaluation of DNS Tunneling Tools , 2011, CISIS.

[21]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.