They’re the scourge of the Internet—networks containing thousands or even millions of virus-infected, remote-controlled PCs. These so-called “botnets” send out spam and launch attacks on websites and computer systems.
But researchers have now come up with a way to spot an infected machine using the way it tries to communicate with its command-and-control server.
Many botnets use a technique known as “domain fluxing” that makes it hard to find and disable the botnet’s control server. An infected computer generates a huge list of random-seeming domain names and checks at each domain for the command-and-control server. This makes it difficult for anyone else to know where the botnet controller is. And the creator of the botnet knows how to generate the same list, and only needs to reserve a single domain in order to send commands to the botnet.
In a recent paper, a team of researchers from Texas A&M University and security firm Narus reveals a way to use domain fluxing to spot a botnet computer. They found that the domains generated by botnets are more random than legitimate ones.
The researchers looked at the domain name queries issued by many different machines. “If the names were closer to a random distribution, we declared them anomalous,” says A.L. Narasimha Reddy, a Texas A&M engineering professor who developed the technique with colleagues. A computer that sends requests to 500 domains can be identified as part of the botnet every time.
But Reddy worries that a new, stealthier type of botnet that only wakes up to conduct attacks could make detection harder. “I’m pretty sure that botnet writers will try to innovate by taking measures to defeat the detection,” Reddy says. “As long as we have phishing attacks that easily lure people into clicking on links, the attackers will manage to stay ahead.”
New legal approaches are helping in the war on botnets. In mid-March, U.S. marshals and computer forensics experts descended on Web hosting centers in seven U.S. cities, pulling hard drives from servers that were being used to control a massive botnet known as Rustock. The network consisted of over two million PCs being used to send spam.
Microsoft spearheaded the disruption of Rustock by using a trademark infringement law known as the Lanham Act in new ways. By showing that the spammers were using the brands of Microsoft and Pfizer without permission, the companies convinced a judge that drastic measures were necessary. A special legal order allowed Microsoft and the U.S marshals to seize the alleged criminals’ hardware without first notifying the owners.