What you should know about battling botnets

Technology evolves to predict malicious activity, defend networks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The per­sis­tent, per­va­sive bad­ness on the Inter­net is made pos­si­ble by the exis­tence of a vast, self-replen­ish­ing infra­struc­ture of bot­nets.

Cyber crim­i­nals go to great lengths to keep their bot­nets run­ning at high effi­cien­cy.

Tim Helming, DomainTools director of product management
Tim Helm­ing, Domain­Tools direc­tor of prod­uct man­age­ment

Third­Cer­tain­ty asked Tim Helm­ing, direc­tor of prod­uct man­age­ment at Domain Tools, to out­line how and why bot­nets con­tin­ue to thrive—and what the good guys are doing to deter them. Here’s a sum­ma­ry of our dis­cus­sion:

Bot­net basics

A typ­i­cal bot­net is com­prised of tens of thou­sands of infect­ed com­put­ers com­mu­ni­cat­ing back to a sin­gle com­mand-and-con­trol serv­er, from which a human attack­er issues instruc­tions.

Bot­nets are rou­tine­ly instruct­ed by their human con­troller to:

• Spread mal­ware and infect more com­put­ers

• Car­ry out phish­ing, ran­somware, account takeover, click fraud and denial of ser­vice attacks

• Siphon crown jew­el data from busi­ness net­works via Advanced Per­sis­tent Threat (APT) attacks

Domain name game

Each com­mand-and-con­trol serv­er and each infect­ed com­put­er, or bot, has an IP address and a domain name. The good guys have per­fect­ed black­list­ing tools tuned to quick­ly iden­ti­fy and cut off any IP address or domain name pre­vi­ous­ly observed car­ry­ing out mali­cious activ­i­ty.

These black­lists are fed into fire­walls, email gate­ways and intru­sion pre­ven­tion sys­tems, form­ing a first line of defense that auto­mat­i­cal­ly blocks any known bad domains and IP address­es.

So the crim­i­nals counter by reg­is­ter­ing new, replace­ment domains en masse. Bot­nets run domain-gen­er­a­tion algo­rithms that spit out domain gen­er­a­tion algo­rithms (DGAs), fresh domain names com­prised of ran­dom alphanu­mer­ic strings, by the hun­dreds. “This lets them reg­is­ter new domains in bulk,” Helm­ing says.

Addi­tion­al­ly, bot­nets also get instruct­ed to cre­ate domain names in rec­og­niz­able word or word pat­terns. This is done when a domain name is need­ed that a human vic­tim can read in order to fool some­one as part of a phish­ing or ran­somware attack.

Rep­u­ta­tion scor­ing

Black­lists can only do so much. They are lim­it­ed to block­ing domains pre­vi­ous­ly observed doing bad things. So Domain Tools also has come up with a rep­u­ta­tion scor­ing sys­tem that assigns a risk score to each new­ly cre­at­ed domain.

Very new domains, with alphanu­mer­ic names, for instance, get an ele­vat­ed risk score. So do domain names that are slight mis­spellings of the offi­cial domain names of legit­i­mate web­sites. A deci­sion can then be made as to whether to block a new domain that seems benign before it is put to mali­cious use.

We look at things like how old the domain name is, whether the domain name makes any sense lin­guis­ti­cal­ly,” Helm­ing says. “Those are intrin­sic prop­er­ties that can show us domains that are tight­ly con­nect­ed to bad ones, and also one-offs that might not have that con­nec­tion.”

Pre­dict­ing vs. detect­ing

Cyber crim­i­nals can get lazy. And the good guys are striv­ing to cap­i­tal­ize on that trait. For instance, it still is a com­mon prac­tice for crim­i­nals to use quirky, bogus infor­ma­tion to reg­is­ter domains—such as Super­man, 123 Any­where Lane, Any­town, USA, 11111—and then use that name and address over and over.

But detec­tion tech­nol­o­gy is con­tin­u­al­ly improv­ing. Machine learn­ing is being applied to not just iden­ti­fy such pat­terns, but also cor­re­late them to oth­er data. The goal is to help net­work defend­ers more accu­rate­ly pre­dict whether a domain is like­ly to com­mence mali­cious activ­i­ty long before it does.

Pre­dic­tion is where every­body is try­ing to get to,” Helm­ing says. “Being able to pre­dict bad­ness is real­ly impor­tant and real­ly valu­able. I call it look­ing back to look for­ward.”