They’re the scourge of the Internet—networks containing thousands or even millions of virus-infected, remote-controlled PCs. These so-called “botnets” send out spam and launch attacks on websites and computer systems.
But researchers have now come up with a way to spot an infected machine using the way it tries to communicate with its command-and-control server.
Many botnets use a technique known as “domain fluxing” that makes it hard to find and disable the botnet’s control server. An infected computer generates a huge list of random-seeming domain names and checks at each domain for the command-and-control server. This makes it difficult for anyone else to know where the botnet controller is. And the creator of the botnet knows how to generate the same list, and only needs to reserve a single domain in order to send commands to the botnet.
In a recent paper, a team of researchers from Texas A&M University and security firm Narus reveals a way to use domain fluxing to spot a botnet computer. They found that the domains generated by botnets are more random than legitimate ones.
The researchers looked at the domain name queries issued by many different machines. “If the names were closer to a random distribution, we declared them anomalous,” says A.L. Narasimha Reddy, a Texas A&M engineering professor who developed the technique with colleagues. A computer that sends requests to 500 domains can be identified as part of the botnet every time.
But Reddy worries that a new, stealthier type of botnet that only wakes up to conduct attacks could make detection harder. “I’m pretty sure that botnet writers will try to innovate by taking measures to defeat the detection,” Reddy says. “As long as we have phishing attacks that easily lure people into clicking on links, the attackers will manage to stay ahead.”
New legal approaches are helping in the war on botnets. In mid-March, U.S. marshals and computer forensics experts descended on Web hosting centers in seven U.S. cities, pulling hard drives from servers that were being used to control a massive botnet known as Rustock. The network consisted of over two million PCs being used to send spam.
Microsoft spearheaded the disruption of Rustock by using a trademark infringement law known as the Lanham Act in new ways. By showing that the spammers were using the brands of Microsoft and Pfizer without permission, the companies convinced a judge that drastic measures were necessary. A special legal order allowed Microsoft and the U.S marshals to seize the alleged criminals’ hardware without first notifying the owners.
These materials were meant to revolutionize the solar industry. Why hasn’t it happened?
Perovskites are promising, but real-world conditions have held them back.
Why China is still obsessed with disinfecting everything
Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.
Anti-aging drugs are being tested as a way to treat covid
Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.
A quick guide to the most important AI law you’ve never heard of
The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.