Spatial Statistics as a Metric for Detecting Botnet C2 Servers

Botconf 2013
Thursday
2023-04-29 | 14:40 – 15:40

Etienne Stalmans 🗣 | Barry Irwin

Botnets consist of thousands of hosts infected with malware. As these hosts are widely dispersed and usually not physically accessible to botnet owners, a means to communicate with these hosts is needed. Using Command and Control (C2) servers botnet owners are able to communicate with and send commands to the members of the botnet with minimal eort. As these C2 servers are used to control the botnet, they can be used to shutdown the entire botnet by either by taking over or blocking the C2 servers. In defense to this botnet owners have employed numerous shutdown avoidance techniques. One of these techniques, DNS Fast-Flux, relies on rapidly changing address records. The addresses returned by the Fast-Flux DNS servers consist of geographically widely distributed hosts. These Fast-Flux C2 servers tend to be dispersed through multiple countries and across timezones. This distributed nature of Fast-Flux botnets differs from legitimate domains, which tend to have geographically clustered server locations. This paper examines the use of spatial autocorrelation techniques based on the geographic distribution of domain servers to detect Fast-Flux domains. Two means of measuring spatial autocorrelation, Moran’s I and Geary’s C, are used to produce classiers. These classiers use multiple geographic co-ordinate systems to assign unique values to each C2 server and subsequently to produce efficient and accurate classiers. It is shown how Fast-Flux domains can be detected reliably while only a small percentage of false positives are produced.


Slides Icon

PDF

Video
Scroll to Top