Intelligent Machines

Busting the Botnets

The unusual activity generated by zombie computer networks can lead security experts right to them.

They’re the scourge of the Internet—networks containing thousands or even millions of virus-infected, remote-controlled PCs. These so-called “botnets” send out spam and launch attacks on websites and computer systems.

But researchers have now come up with a way to spot an infected machine using the way it tries to communicate with its command-and-control server.

Many botnets use a technique known as “domain fluxing” that makes it hard to find and disable the botnet’s control server. An infected computer generates a huge list of random-seeming domain names and checks at each domain for the command-and-control server. This makes it difficult for anyone else to know where the botnet controller is. And the creator of the botnet knows how to generate the same list, and only needs to reserve a single domain in order to send commands to the botnet.

In a recent paper, a team of researchers from Texas A&M University and security firm Narus reveals a way to use domain fluxing to spot a botnet computer. They found that the domains generated by botnets are more random than legitimate ones.

The researchers looked at the domain name queries issued by many different machines. “If the names were closer to a random distribution, we declared them anomalous,” says A.L. Narasimha Reddy, a Texas A&M engineering professor who developed the technique with colleagues. A computer that sends requests to 500 domains can be identified as part of the botnet every time.

But Reddy worries that a new, stealthier type of botnet that only wakes up to conduct attacks could make detection harder. “I’m pretty sure that botnet writers will try to innovate by taking measures to defeat the detection,” Reddy says. “As long as we have phishing attacks that easily lure people into clicking on links, the attackers will manage to stay ahead.”

New legal approaches are helping in the war on botnets. In mid-March, U.S. marshals and computer forensics experts descended on Web hosting centers in seven U.S. cities, pulling hard drives from servers that were being used to control a massive botnet known as Rustock. The network consisted of over two million PCs being used to send spam.

Microsoft spearheaded the disruption of Rustock by using a trademark infringement law known as the Lanham Act in new ways. By showing that the spammers were using the brands of Microsoft and Pfizer without permission, the companies convinced a judge that drastic measures were necessary. A special legal order allowed Microsoft and the U.S marshals to seize the alleged criminals’ hardware without first notifying the owners.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.