Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

They’re the scourge of the Internet—networks containing thousands or even millions of virus-infected, remote-controlled PCs. These so-called “botnets” send out spam and launch attacks on websites and computer systems.

But researchers have now come up with a way to spot an infected machine using the way it tries to communicate with its command-and-control server.

Many botnets use a technique known as “domain fluxing” that makes it hard to find and disable the botnet’s control server. An infected computer generates a huge list of random-seeming domain names and checks at each domain for the command-and-control server. This makes it difficult for anyone else to know where the botnet controller is. And the creator of the botnet knows how to generate the same list, and only needs to reserve a single domain in order to send commands to the botnet.

In a recent paper, a team of researchers from Texas A&M University and security firm Narus reveals a way to use domain fluxing to spot a botnet computer. They found that the domains generated by botnets are more random than legitimate ones.

The researchers looked at the domain name queries issued by many different machines. “If the names were closer to a random distribution, we declared them anomalous,” says A.L. Narasimha Reddy, a Texas A&M engineering professor who developed the technique with colleagues. A computer that sends requests to 500 domains can be identified as part of the botnet every time.

But Reddy worries that a new, stealthier type of botnet that only wakes up to conduct attacks could make detection harder. “I’m pretty sure that botnet writers will try to innovate by taking measures to defeat the detection,” Reddy says. “As long as we have phishing attacks that easily lure people into clicking on links, the attackers will manage to stay ahead.”

New legal approaches are helping in the war on botnets. In mid-March, U.S. marshals and computer forensics experts descended on Web hosting centers in seven U.S. cities, pulling hard drives from servers that were being used to control a massive botnet known as Rustock. The network consisted of over two million PCs being used to send spam.

Microsoft spearheaded the disruption of Rustock by using a trademark infringement law known as the Lanham Act in new ways. By showing that the spammers were using the brands of Microsoft and Pfizer without permission, the companies convinced a judge that drastic measures were necessary. A special legal order allowed Microsoft and the U.S marshals to seize the alleged criminals’ hardware without first notifying the owners.

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Computing, security, Internet, virus, botnets, zombie computer networks

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me