DNS anomaly detection: Defend against sophisticated malware
by Barry Weymes - Security Analyst, Fox-IT - Tuesday, 28 May 2013.
Finding the source of malicious DNS traffic

While monitoring will detect a malware infection, an analysis of the data will lead to the source, and finding the infected host is always our goal. There are various tools and methods used to analyze DNS traffic for DGA patterns, and searching DNS logs for specific queries of known or suspected botnets. Proven analysis tools that focus only on failed DNS requests can quickly search for malicious domains and return only a low percent of false positives. When using these tools to focus on a specific data set, the DGA domains stick out like a sore thumb.

Another method for analyzing NXDOMAIN logs is searching for long domains. Legitimate domains are typically less than 12 characters long, and usually as short as possible in order to be memorable. A cybercriminal may direct his bots to use longer, illegitimate domains for communication, making them obvious and easier to find. For example, a 14-character domain made up of only consonants will be automatically flagged as malicious by the detection system.

The most well-known and widely spread malware is ZeuS; this malware family has infected millions of PCs. The typical ZeuS query is 33-character-long or more, and ends with .ru, .com, .biz, .info, .org or .net domain extensions.

In addition to analysis tools, there are specific methods that can be used to search through the NXDOMAIN logs. There are three domain characteristics that we look for:

Domain length – broken into 6 different length categories.
Character makeup – Alphanumeric, characters only and consonants only.
Top Level Domains (TLD) – 272 variations.

This method constantly looks for any combination of these three characteristics – a bit like a slot machine rotating its reels waiting to hit the jackpot.

Random DGA domains:

agng78sagdfDKJdtwa887.com
kt2syggf436dtag312.com
tcdjnkntkkreatlbtbuguyxdqx.biz
cykjxnzmrhaygajncyfmoyljdpb.biz
gfeoacjlvufodylcsnbordyxs.cm
nhnjnmlgofabeynimrtdyt.cm
nafsxsvpmghfb.cm
uizkyvvpsz.hk
vceexusxwxw.info
kkwcfyqhmq.cc

Spotlight

Behavioral analysis and information security

Posted on 22 September 2014.  |  In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security and how behavioral analysis can influence the evolution of security technologies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //