With every Internet transaction creating DNS traffic, monitoring is obviously not a small task. Normal DNS traffic typically generates about 12 NXDOMAIN's per hour. At one client, we were able to detect and resolve an infection almost instantly when our DNS monitoring uncovered 400 NXDOMAIN's per hour.
It is essential to utilize a sophisticated and comprehensive system to collect the DNS traffic that is captured through monitoring sensors. PassiveDNS aggregates duplicate traffic, keeping the logs small without losing the volume information. Most importantly, it keeps track of request and responses and splits the NXDOMAINS essential to DGA detection into a separate log. This dramatically reduces the amount of traffic to be analyzed, and allows focusing on the 10% of the traffic that fails.
Finding the source of malicious DNS traffic
While monitoring will detect a malware infection, an analysis of the data will lead to the source, and finding the infected host is always our goal. There are various tools and methods used to analyze DNS traffic for DGA patterns, and searching DNS logs for specific queries of known or suspected botnets. Proven analysis tools that focus only on failed DNS requests can quickly search for malicious domains and return only a low percent of false positives. When using these tools to focus on a specific data set, the DGA domains stick out like a sore thumb.
Another method for analyzing NXDOMAIN logs is searching for long domains. Legitimate domains are typically less than 12 characters long, and usually as short as possible in order to be memorable. A cybercriminal may direct his bots to use longer, illegitimate domains for communication, making them obvious and easier to find. For example, a 14-character domain made up of only consonants will be automatically flagged as malicious by the detection system.
The most well-known and widely spread malware is ZeuS; this malware family has infected millions of PCs. The typical ZeuS query is 33-character-long or more, and ends with .ru, .com, .biz, .info, .org or .net domain extensions.
In addition to analysis tools, there are specific methods that can be used to search through the NXDOMAIN logs. There are three domain characteristics that we look for:
Domain length – broken into 6 different length categories.
Character makeup – Alphanumeric, characters only and consonants only.
Top Level Domains (TLD) – 272 variations.
This method constantly looks for any combination of these three characteristics – a bit like a slot machine rotating its reels waiting to hit the jackpot.
Random DGA domains:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.