On botnets that use DNS for command and control

Christian J. Dietrich*, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten Van Steen, Norbert Pohlmann

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Original languageEnglish
Title of host publication2011 7th European Conference on Computer Network Defense, EC2ND 2011 (Proceedings)
PublisherIEEE
Pages9-16
Number of pages8
ISBN (Print)9780769547626
DOIs
Publication statusPublished - 13 Dec 2012
Event2011 7th European Conference on Computer Network Defense, EC2ND 2011 - Gothenburg, Sweden
Duration: 6 Sept 20117 Sept 2011

Conference

Conference2011 7th European Conference on Computer Network Defense, EC2ND 2011
Country/TerritorySweden
CityGothenburg
Period6/09/117/09/11

Keywords

  • botnet detection
  • command and control
  • dns
  • malware detection

Fingerprint

Dive into the research topics of 'On botnets that use DNS for command and control'. Together they form a unique fingerprint.

Cite this