FluXOR: Detecting and Monitoring Fast-Flux Service Networks

  • Emanuele Passerini
  • Roberto Paleari
  • Lorenzo Martignoni
  • Danilo Bruschi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5137)

Abstract

Botnets are large groups of compromised machines (bots) used by miscreants for the most illegal activities (e.g., sending spam emails, denial-of-service attacks, phishing and other web scams). To protect the identity and to maximise the availability of the core components of their business, miscreants have recently started to use fast-flux service networks, large groups of bots acting as front-end proxies to these components. Motivated by the conviction that prompt detection and monitoring of these networks is an essential step to contrast the problem posed by botnets, we have developed FluXOR, a system to detect and monitor fast-flux service networks. FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated thorough botnets. We have been using FluXOR for about a month and so far we have detected 387 fast-flux service networks, totally composed by 31998 distinct compromised machines, which we believe to be associated with 16 botnets.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM conference on Computer and communications security (CCS 2007), pp. 375–388. ACM, New York (2007)Google Scholar
  2. 2.
    Ször, P.: The Art of Computer Virus Research and Defense. Addison Wesley Professional, Reading (2005)Google Scholar
  3. 3.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)Google Scholar
  4. 4.
    Furst, M.: Expert: Botnets No. 1 Emerging Internet Threat. CNN Technology (2006)Google Scholar
  5. 5.
    Markoff, J.: Attack of the Zombie Computers Is a Growing Threat, Experts Say. The New York Times (January 2007)Google Scholar
  6. 6.
    Corporation, F.S.: Malware Information Pages: Warezov (2006), http://www.f-secure.com/v-descs/warezov.shtml
  7. 7.
    Porras, P., Saidi, H., Yegneswaran, V.: A Multi-perspective Analysis of the Storm (Peacomm) Worm. Technical report, SRI International (October 2007)Google Scholar
  8. 8.
    The Honeynet Project & Research Alliance: Know Your Enemy: Fast-Flux Service Networks (2007)Google Scholar
  9. 9.
    Gaudin, S.: Storm Worm Erupts Into Worst Virus Attack In 2 Years (2007)Google Scholar
  10. 10.
    Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC 2007) (December 2007)Google Scholar
  11. 11.
    Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)Google Scholar
  12. 12.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (Security 2007) (August 2007)Google Scholar
  13. 13.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)Google Scholar
  14. 14.
    Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006) (2006)Google Scholar
  15. 15.
    Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), Berkeley, CA, USA. USENIX Association (2006)Google Scholar
  16. 16.
    Cooke, E., Jahanian, F., Mcpherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 39–44 (June 2005)Google Scholar
  17. 17.
    Mockapetris, P.: Domain names – concepts and facilites. RFC 1034, Internet Engineering Task Force (November 1987)Google Scholar
  18. 18.
    Mockapetris, P.: Domain names – implementation and specification. RFC 1035, Internet Engineering Task Force (November 1987)Google Scholar
  19. 19.
    Kojm, T.: Clam AntiVirus, http://www.clamav.net
  20. 20.
    John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: Proceedings of the 11th Conference on Uncertainty in Artificial Intelligence, pp. 338–345. Morgan Kaufmann, San Francisco (1995)Google Scholar
  21. 21.
    Hawkinson, J., Bates, T.: Guidelines for creation, selection, and registration of an autonomous system (as). RFC 1930, Internet Engineering Task Force (March 1996)Google Scholar
  22. 22.
    DomainTools.com: Domain Counts & Internet Statistics, http://www.domaintools.com/internet-statistics/
  23. 23.
    Zhang, H.: The Optimality of Naïve Bayes. In: Proceedings of the Seventeenth International Florida Artificial Intelligence Research Society Conference. AAAI Press, Miami Beach (2004)Google Scholar
  24. 24.
    Daigle, L.: WHOIS protocol specification. RFC 3912, Internet Engineering Task Force (March 2004)Google Scholar
  25. 25.
    Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)MATHGoogle Scholar
  26. 26.
    Kohavi, R.: A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection. In: Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence, pp. 1137–1145. Morgan Kaufmann, San Francisco (1995)Google Scholar
  27. 27.
    Holz, T., Gorecki, C., Freiling, F., Rieck, K.: Detection and Mitigation of Fast-Flux Service Networks. In: Proceeding of the 15th Annual Network & Distributed System Security Symposium (NDSS 2008) (February 2008)Google Scholar
  28. 28.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 2006), pp. 41–52. ACM, New York (2006)CrossRefGoogle Scholar
  29. 29.
    Stinson, E., Mitchell, J.C.: Characterizing Bots’ Remote Control Behavior. In: Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 89–108. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Paul, B., Vinod, Y.: An Inside Look at Botnets. In: Malware Detection. Advances in Information Security, vol. 27. Springer, Heidelberg (2007)Google Scholar
  31. 31.
    Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)Google Scholar
  32. 32.
    Daswani, N., Stoppelman, M.: The anatomy of clickbot.a. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Emanuele Passerini
    • 1
  • Roberto Paleari
    • 1
  • Lorenzo Martignoni
    • 1
  • Danilo Bruschi
    • 1
  1. 1.Università degli Studi di Milano 

Personalised recommendations