Detection of malicious payload distribution channels in DNS

Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribu...

Full description

Saved in:
Bibliographic Details
Published in2014 IEEE International Conference on Communications (ICC) pp. 853 - 858
Main Authors Kara, A. Mert, Binsalleeh, Hamad, Mannan, Mohammad, Youssef, Amr, Debbabi, Mourad
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.06.2014
Subjects
Malware
Payloads
Protocols
Servers
Syntactics
Tunneling
Online AccessGet full text

Cover

More Information
Summary:Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribution channel. We present a system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of passive DNS traffic. The experimental results reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads. Our experiments on passive DNS traffic indicate that our system can detect these channels regardless of the payload format.
ISSN:1550-3607
1938-1883
DOI:10.1109/ICC.2014.6883426