Botnet Threat Intelligence

From MilcordWiki

Jump to: navigation, search
Botnet Lifespan: Malware vs. Phishing vs. Spam.
Arrow right.gif demo
Arrow right.gif product

What is a botnet?

Fast Flux Activity Index
Social Network of Phishing Botnets

A botnet is a collection of compromised computers ("zombies") that have been set up as a malicious content distribution network without the knowledge of the computer's owners. Zombies attack other computers, send spam, deliver malware, and serve phishing content through a Command and Control server operated by a criminal organization.

What is fast flux?

Fast flux is a method of making rapid and repeated changes to host and/or name server resource records, which result in rapidly changing the IP address to which the domain name of an Internet host or name server resolves. While fast flux methods do have a legitimate use as a load balancing technique for high availability and high volume Web sites, botnets use fast flux for concealment of their Command and Control (C&C) servers. There are three main variants of fast flux hosting:

  • Basic fast flux hosting where IP addresses of malicious web sites are fluxed
  • Name Server (NS) fluxing where IP addresses of DNS name servers are fluxed
  • Double flux, where IP addresses of web sites and name servers are fluxed

What is Dynamic DNS?

Dynamic DNS is a service that enables a Domain Name System (DNS) name server to change, in real time, the active DNS configuration of its configured hostnames, addresses or other information. A popular application of dynamic DNS is to provide a residential user's Internet gateway that has a variable, often changing, IP address with a well known hostname resolvable through standard DNS queries. Botnets use dynamic DNS to assign a new C&C server when the current C&C is shut down by authorities. This DNS redirection behavior in response to bot queries is called herding. A botmaster will also periodically update the dynamic DNS entry to hide the locations of its C&C server.

What is Botnet Threat Intelligence?

Botnet Threat Intelligence is a knowledge base that Milcord has built using state-of-the-art technology that detects and classifies fast flux botnets using both active and passive DNS monitoring. In addition, our approach is able to differentiate and classify all three fast-flux variants, including name server flux and double-flux.

What does Botnet Threat Intelligence provide?

Botnet Threat Intelligence provides domains, domain IPs, nameserver domains, and nameserver domain IPs used in fast flux service networks for malicious activities such as spam campaigns, phishing attacks, and malware delivery. The data repository is available as a standalone database or through a Web service API.

What are the applications of Botnet Threat Intelligence?

Our data service can be used by ISPs to identify the infected consumer machines on their networks; by university System Administrators to find compromised student machines; by financial service companies to determine the client machines under the control of botnet operators; by CERTs to check outbound traffic record archives against our intelligence to find the "bad neighborhoods" in cyberspace; and by government agency and large enterprise Network Administrators to monitor outbound traffic against our intelligence to prevent infection of enterprise computing resources.

References

  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2011) Behavioral Analysis of Botnets for Threat Intelligence, SpringerLink, Information Systems and e-Business Management, DOI: 10.1007/s10257-011-0171-7. Arrow right.gif blog
  • Caglayan, A. and Toothaker, M. FastFluxMonitor vs. Darknet traffic, SIE Workshop, October 3, 2010, Atlanta, GA.
  • Massey, D. and Caglayan, A. Event Detection via DNS and Route Monitoring, 6th Annual GFIRST National Conference, GFIRST6: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace, August 15-20, 2010, San Antonio, TX.
  • Caglayan, A. Improving Malware Situational Awareness by Monitoring the Relationships in DNS Infrastructure, Multiagency and Industry Malware and Bot Reverse Engineering Technical Exchange Meeting (MTEM 10), MIT Lincoln Laboratory, July 15-16, 2010. Arrow right.gif abstract
  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010) Guilt by Association based Discovery of Botnet Footprints, NATO Research and Technology Organization Workshop on Information Security and Defense. Antalya, Turkey, April 26-30, 2010. Arrow right.gif abstract | paper | blog
  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010)Behavioral Patterns of Fast Flux Service Networks, Hawaii International Conference on System Sciences (HICSS-43) Cyber Security and Information Intelligence Research Minitrack. Koloa, Kauai, Hawaii, January 5-8, 2010. Arrow right.gif abstract | paper | press
  • Naone, E. Tracking Devious Phishing Websites MIT Technology Review, October 19, 2009.
  • Naone, E. Why Don't Spammers Get Shut Down Faster? MIT Technology Review Blog, October 19, 2009.
  • McGrath, D. K., Kalafut, A., Gupta, M. Phishing Infrastructure Fluxes All the Way, IEEE Security and Privacy, pp. 21-28, September/October, 2009 Arrow right.gif paper
  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G., Van Randwyk, J., Lloyd, L., Proebstel, E., Burnett, D., Bayer, G., and Sanders, B. (2009) Botnet Analytics Appliance, Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC070126, October, 2009. Arrow right.gif abstract
  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Behavioral Analysis of Fast Flux Service Networks, Fifth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW 09), Oak Ridge, TN, April 13-15, 2009. Arrow right.gif abstract | paper | presentation | blog | press | solution
  • Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Real Time Detection of Fast Flux Service Networks, Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH 2009), Washington, DC, March 3-4, 2009. Arrow right.gif abstract | presentation | blog | press | solution
  • Buxbaum, P. A. Battling Botnets Military Information Technology, Vol. 12, No. 7., 2008.
  • Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, 2007 Monterey Homeland Security Conference, Monterey, CA, August 2007. Arrow right.gif presentation
  • Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC060135, March, 2007. Arrow right.gif abstract
Retrieved from "http://wiki.milcord.com/index.php/Botnet_Threat_Intelligence"
Personal tools