back to article Boffins devise early-warning bot spotter

Researchers have devised a way to easily detect internet names generated by so-called domain-fluxing botnets, a method that could provide a first-alarm system of sorts that alerts admins of infections on their networks. Botnets including Conficker, Kraken and Torpig use domain fluxing to make it harder for security researchers …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Paris Hilton

    Eee Hee Hee?

    What's the betting on malware makers changing operating methods from flat, uniform over time to short intense even randomised working methods?

    It might be a good idea to see how long it takes for

    (a) the good guys to work a way around the described observance metric

    and

    (b) the bad guys to work a way around the described observance metric?

    1. Keith T
      Thumb Up

      In 700 years of trying, nobody has been able to make an invulnerable bank vault.

      A vital part of the range of solutions needed include law enforcement, catching and holding the crooks for trial and imprisonment.

      The auto industry has not been able to create a vandal proof auto in 100 years of trying.

      In 700 years of trying, nobody has been able to make an invulnerable bank vault.

      In 100,000 years of trying we still don't have burglar-proof houses.

      If we can't vandal-proof and burglar-proof well understood things with a few hundred parts, I don't see we're never going to have vandal and burglar proof complex multi-purpose computer software.

      We need to do all we can, put on the cyber equivalent of 18 inch poured concrete walls and alarm systems, but to make a major difference we must also apprehend and imprison the criminals.

  2. Simon Waddington

    Fuzz out my bot

    If boffins are spotting my bot then I'm gonna call Google to fuzz it out

  3. M man
    Thumb Down

    tada

    evolution in progress.

    What dosent kill you only makes you stronger.

  4. Anton Ivanov
    Flame

    depends on the network

    Hm, just thinking on how this looks on an average corporate network which uses asset tags and not PC names for DNS dynamically assigned from DHCP.

    I am not convinced about the rather low reported rate of false positives. There are plenty of scenarios where this will generate a much higher rate.

  5. JaitcH
    Pint

    Very handy research ... for bot network operators

    The problem with some scientists is that they just want to publish research papers, no doubt not fully comprehending who the potential audience is or what it can be applied to.

    Happened way back when Touchtone was designed as well as when new coin phone boxes were improved against theft. They gave birth to the Blue and Red Boxes that cost Bell systems millions of dollars in losses, as well as BT and Euro telco's!

    Let's drink to 2600 Hettz, too!

    1. peter 5 Silver badge
      Boffin

      @ (The risk of feeding a troll) JaitcH

      And the problem with some commentators is they don't read the paper before hitting "submit", because the research is no help to bot network operators. (?botters)

      Bots require unregistered domain names to host their command and control servers. That means the distribution of names they generate must always be slightly different to those of legitimate domains, and so they'll always be detectable.

      In fact, the current generation of bots use name generators that are inferior to the best academics have cooked up, and the techniques in the paper can defeat even those higher quality name generators. So, even supposing your argument was valid, the scientists were safe to publish this time.

    2. Anonymous Coward
      FAIL

      re: Very handy research ...

      So, what are you saying, security through obscurity is good? I think there might be a few ppl who would disagree....

  6. Anonymous Coward
    Anonymous Coward

    Unintended consequences

    Surely if you use technical means to make "random" domain-names worthless, the crooks will will accelerate their use of "nonrandom" domain-names like those increasingly seen in spam which are compound of two English words, such as "jumpcoffee", "walkdrum", "crowdwho", "justthose", "flickstill", "tamehigh", "staymill", "rightswim" etc etc etc to use some real examples which I've seen in spam in the past couple of years.

    A small fraction of these compound-word domains might otherwise have had useful commerical value and in time been used more productively.

    1. Keith T
      Thumb Down

      Works for Linux

      Security by obscurity works for Linux and Apple.

      Think about it ... even though it is open source, it is less well examined and understood by black-hat hackers (because it hosts fewer attractive targets), and their obscurity are the only reason they have fewer viruses.

    2. Keith T

      Read again

      They tested it with those exactly sorts of name generators.

    3. spuos

      We are seeing this already

      Great comment. I am one of the co-authors of the paper. Indeed we have already started seeing domain names generated as a combination of two english language words in Storm. More details are in this article on Dark Reading: http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=228200254

  7. JC 2

    It's About Reduction

    You'll never catch 100% of spam because some of them actually have ambitions of being good at it. The best you can do is cast your net at the largest group you see and this idea, while not original in that all it does is take some of the logic a human would use and expresses it in code, does have a lot of merit. It's a bit surprising actually that these kinds of filters weren't in place already.

    I propose something different though, in the US we now have a "Do Not Call" list that you can sign up for to avoid telephone solicitors. We need the same for email... can't tell you how many times I was tempted to click the unsubscribe link at the bottom of an email for a legit company that shouldn't have been sending me spam, only to refrain due to not wanting to validate the email address as a live one with a human reading the incoming.

  8. amanfromMars 1 Silver badge
    Grenade

    Cloaking Devices for Core Penetrations and Lode Ore MetaDataMining/Communal XSSXXXXual Congress

    Be careful what you poke a stick at, for you cannot handle a hornet's nest in Full Active Angered Flight .... or Virtual Natives on the Righteous Rampage.

    "So, what are you saying, security through obscurity is good? I think there might be a few ppl who would disagree...." .... Anonymous Coward Posted Sunday 7th November 2010 16:02 GMT

    There are Others, AC ..... :-) and a Chosen Few who would have a Fundamental and Absolute Mastery of the Stealth and Steganography Arts, who would not disagree. And would say nothing, and say nothing more on the subject for obvious reasons of Need to Know Security, that most do not need to know and will never ever know.

    "Bots require unregistered domain names to host their command and control servers." ..... peter 5 Posted Sunday 7th November 2010 16:02 GMT

    A popular myth and most helpful misperception/misconception. SMARTer IntelAIgent Server Systems are hosted in unsuspecting domain names ..... dogging their services for the swish cottage industry of conspiring bots that Command Commendable CyberIntelAIgent Control. And such is the Sweet Temptation and Sticky Delight of such a Base Network, that Capture is a Surrender that renders the Awesome Power and Active Pleasure of Astute Submission ..... with a Special Force, Readily Available to Leading Facilities and Ancient Orders and Shady Operators Delivering Cloud Cover for Special Operational Environments and Executive Officers ...... which makes IT also, a QuITe Phormidable and Highly Explosive Utility.

    Indeed, the Posit here is, that it is also a Catastrophic, Next Generation NEUKlearer HyperRadioProActive Weapon and AIMODified Field Munition.

    "The problem with some scientists is that they just want to publish research papers, no doubt not fully comprehending who the potential audience is or what it can be applied to." ... JaitcH Posted Saturday 6th November 2010 11:14 GMT

    And then again, JaitcH, there are the Others who fully comprehend the potential audiences to which it can be applied, and the value of the research information, and the great, and even greater worth, in not publishing it, but safely sharing and storing it with trusted partners for future use, should it be necessary.

  9. amorphic

    What happens when each BOT is CCS node?

    Might as well start own P2P as soon firewall allows GET via port 80, Oh, wait most of the time it does.

  10. Ian McNee
    Alert

    Statistical methods and pronouncable domain names??

    Oh no! xkcd.com will be blacklisted! My life is now meaningless!!

This topic is closed for new posts.

Other stories you might like