On botnets that use DNS for command and control

Christian J. Dietrich*, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten Van Steen, Norbert Pohlmann

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Original languageEnglish
Title of host publication2011 7th European Conference on Computer Network Defense, EC2ND 2011 (Proceedings)
PublisherIEEE
Pages9-16
Number of pages8
ISBN (Print)9780769547626
DOIs
Publication statusPublished - 13 Dec 2012
Event2011 7th European Conference on Computer Network Defense, EC2ND 2011 - Gothenburg, Sweden
Duration: 6 Sep 20117 Sep 2011

Conference

Conference2011 7th European Conference on Computer Network Defense, EC2ND 2011
CountrySweden
CityGothenburg
Period6/09/117/09/11

Keywords

  • botnet detection
  • command and control
  • dns
  • malware detection

Fingerprint Dive into the research topics of 'On botnets that use DNS for command and control'. Together they form a unique fingerprint.

  • Cite this

    Dietrich, C. J., Rossow, C., Freiling, F. C., Bos, H., Steen, M. V., & Pohlmann, N. (2012). On botnets that use DNS for command and control. In 2011 7th European Conference on Computer Network Defense, EC2ND 2011 (Proceedings) (pp. 9-16). [6377756] IEEE. https://doi.org/10.1109/EC2ND.2011.16