Fast-flux botnet detection using DNS
Trends in malware development has lead to the creation of malicious software intended to create zombie machines which form part of a botnet. These zombie machines receive instructions from botmasters through command and control (C&C) servers.
In an attempt to avoid detection and make shutting down and blocking of the C&C servers more difficult, botnet controllers have started using fast-flux domains. These fast-flux domains are hosted on multiple hosts, distributed all over the world on many distinct networks. Below is an example of a fast-flux domain DNS entry:
;QUESTION fanarm.net. IN A ;ANSWER fanarm.net. 300 IN A 71.35.101.107 fanarm.net. 300 IN A 71.37.48.123 fanarm.net. 300 IN A 195.214.238.241 fanarm.net. 300 IN A 219.95.36.17 fanarm.net. 300 IN A 41.222.11.122 ;AUTHORITY fanarm.net. 300 IN NS ns1.flickingers.net. fanarm.net. 300 IN NS ns2.flickingers.net. |
Automated detection of fast-flux domains can be performed by analysing the attributes returned in the DNS query. Attributes indicative of fast-flux domains identified were:
- Short TTL
- Number of different network ranges.
- Number of different Autonomous System Numbers.
- Number of different Countries.
ASN | Net-block | Country | Registrar |
---|---|---|---|
209 | 71.32.0.0/13 | US | arin |
209 | 71.32.0.0/13 | US | arin |
24881 | 195.214.236.0/22 | UA | ripencc |
4788 | 219.95.0.0/17 | MY | apnic |
36866 | 41.222.8.0/21 | KE | afrinic |
Using a C5.0 decision tree classifier we were able to construct a heuristic based system to identify fast-flux domains. Furthermore, using a Bayesain classifier trained with known fast-flux domains it was possible to accurately differentiate between legitimate Content Distribution Networks and fast-flux domains. This statistical system allows for automatic adaption as fast-flux domains are altered by botnet controllers.
Results
The means of each observed attribute are summarised below:A Records | NS Records | Number of IP Ranges | Number of ASNs | TTL | |
---|---|---|---|---|---|
Fast-flux | 2.090032 | 3.916399 | 2.180064 | 3.70418 | 594.9968 |
Legitimate | 1.730769 | 3.87574 | 0.1538462 | 1.094675 | 14885.42 |
The statistical classifier was able to correctly identify domains as fast-flux or legitimate:
Domain | Safe Score | Malicious Score | Classification |
---|---|---|---|
gingerbucksea.com | 0.005304578 | 0.3550235 | fast-flux |
pearlrumor.ru | 3.059976e-14 | 7.490562e-13 | fast-flux |
wordpress.com | 1.536894e-08 | 4.250896e-10 | legitimate |
champiogogo.ru | 3.395984e-09 | 1.723838e-06 | fast-flux |
yahoo.com | 1.940412e-15 | 1.509179e-69 | legitimate |
Full write-up
The full paper describing our approach and results in more detail can be found here:DNS based detection of Fast-flux domains
Stand-alone script
A stand-alone python script that can be used to check if a domain is fast-flux or not can be downloaded here: Fast-flux analyseRequirements:
PyDNS - pydns.sourceforge.net
To run the script:
python ffanalyse.py www.example.com
To run in verbose mode:
python ffanalyse.py --adr=www.example.com -v