Fast-flux botnet detection using DNS


Trends in malware development has lead to the creation of malicious software intended to create zombie machines which form part of a botnet. These zombie machines receive instructions from botmasters through command and control (C&C) servers.
In an attempt to avoid detection and make shutting down and blocking of the C&C servers more difficult, botnet controllers have started using fast-flux domains. These fast-flux domains are hosted on multiple hosts, distributed all over the world on many distinct networks. Below is an example of a fast-flux domain DNS entry:

;QUESTION

fanarm.net.         IN   A

;ANSWER

fanarm.net.  300  IN  A  71.35.101.107
fanarm.net.  300  IN  A  71.37.48.123
fanarm.net.  300  IN  A  195.214.238.241
fanarm.net.  300  IN  A  219.95.36.17
fanarm.net.  300  IN  A  41.222.11.122

;AUTHORITY

fanarm.net.  300  IN  NS  ns1.flickingers.net.
fanarm.net.  300  IN  NS  ns2.flickingers.net.


Automated detection of fast-flux domains can be performed by analysing the attributes returned in the DNS query. Attributes indicative of fast-flux domains identified were:
  • Short TTL
  • Number of different network ranges.
  • Number of different Autonomous System Numbers.
  • Number of different Countries.
The number of A records returned along with number of nameservers returned can also be used in conjunction with the other attributes returned.

ASNNet-blockCountryRegistrar
209 71.32.0.0/13USarin
20971.32.0.0/13USarin
24881195.214.236.0/22UAripencc
4788219.95.0.0/17MYapnic
3686641.222.8.0/21KEafrinic

Using a C5.0 decision tree classifier we were able to construct a heuristic based system to identify fast-flux domains. Furthermore, using a Bayesain classifier trained with known fast-flux domains it was possible to accurately differentiate between legitimate Content Distribution Networks and fast-flux domains. This statistical system allows for automatic adaption as fast-flux domains are altered by botnet controllers.

Results

The means of each observed attribute are summarised below:

A RecordsNS RecordsNumber of IP RangesNumber of ASNsTTL
Fast-flux2.0900323.9163992.1800643.70418594.9968
Legitimate1.7307693.875740.15384621.09467514885.42

The statistical classifier was able to correctly identify domains as fast-flux or legitimate:

DomainSafe ScoreMalicious ScoreClassification
gingerbucksea.com0.0053045780.3550235fast-flux
pearlrumor.ru3.059976e-147.490562e-13fast-flux
wordpress.com1.536894e-084.250896e-10legitimate
champiogogo.ru3.395984e-091.723838e-06fast-flux
yahoo.com1.940412e-151.509179e-69legitimate

Full write-up

The full paper describing our approach and results in more detail can be found here:
DNS based detection of Fast-flux domains

Stand-alone script

A stand-alone python script that can be used to check if a domain is fast-flux or not can be downloaded here: Fast-flux analyse

Requirements:
PyDNS - pydns.sourceforge.net

To run the script:
python ffanalyse.py www.example.com

To run in verbose mode:
python ffanalyse.py --adr=www.example.com -v