On Botnets That Use DNS for Command and Control

Authors:
Christian J. Dietrich;Christian Rossow;Felix C. Freiling;Herbert Bos;Maarten van Steen;Norbert Pohlmann
Affiliations:
-;-;-;-;-;-
Venue:
EC2ND '11 Proceedings of the 2011 Seventh European Conference on Computer Network Defense
Year:
2011

Citing 0
Cited 3

CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

Computer Networks: The International Journal of Computer and Telecommunications Networking
Resolvers Revealed: Characterizing DNS Resolvers and their Clients

ACM Transactions on Internet Technology (TOIT)
ProVeX: detecting botnets with encrypted command and control channels

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.