Skip to Content

Busting the Botnets

The unusual activity generated by zombie computer networks can lead security experts right to them.
April 12, 2011

They’re the scourge of the Internet—networks containing thousands or even millions of virus-infected, remote-controlled PCs. These so-called “botnets” send out spam and launch attacks on websites and computer systems.

But researchers have now come up with a way to spot an infected machine using the way it tries to communicate with its command-and-control server.

Many botnets use a technique known as “domain fluxing” that makes it hard to find and disable the botnet’s control server. An infected computer generates a huge list of random-seeming domain names and checks at each domain for the command-and-control server. This makes it difficult for anyone else to know where the botnet controller is. And the creator of the botnet knows how to generate the same list, and only needs to reserve a single domain in order to send commands to the botnet.

In a recent paper, a team of researchers from Texas A&M University and security firm Narus reveals a way to use domain fluxing to spot a botnet computer. They found that the domains generated by botnets are more random than legitimate ones.

The researchers looked at the domain name queries issued by many different machines. “If the names were closer to a random distribution, we declared them anomalous,” says A.L. Narasimha Reddy, a Texas A&M engineering professor who developed the technique with colleagues. A computer that sends requests to 500 domains can be identified as part of the botnet every time.

But Reddy worries that a new, stealthier type of botnet that only wakes up to conduct attacks could make detection harder. “I’m pretty sure that botnet writers will try to innovate by taking measures to defeat the detection,” Reddy says. “As long as we have phishing attacks that easily lure people into clicking on links, the attackers will manage to stay ahead.”

New legal approaches are helping in the war on botnets. In mid-March, U.S. marshals and computer forensics experts descended on Web hosting centers in seven U.S. cities, pulling hard drives from servers that were being used to control a massive botnet known as Rustock. The network consisted of over two million PCs being used to send spam.

Microsoft spearheaded the disruption of Rustock by using a trademark infringement law known as the Lanham Act in new ways. By showing that the spammers were using the brands of Microsoft and Pfizer without permission, the companies convinced a judge that drastic measures were necessary. A special legal order allowed Microsoft and the U.S marshals to seize the alleged criminals’ hardware without first notifying the owners.

Keep Reading

Most Popular

This startup wants to copy you into an embryo for organ harvesting

With plans to create realistic synthetic embryos, grown in jars, Renewal Bio is on a journey to the horizon of science and ethics.

VR is as good as psychedelics at helping people reach transcendence

On key metrics, a VR experience elicited a response indistinguishable from subjects who took medium doses of LSD or magic mushrooms.

This nanoparticle could be the key to a universal covid vaccine

Ending the covid pandemic might well require a vaccine that protects against any new strains. Researchers may have found a strategy that will work.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.