Detecting botnet command and control domain names

Abstract

Nowadays, modern botnets such as Conficker, Kraken, Torpig... have led to the use of IP and domain fast-fluxing to avoid detection and have resilience. Moreover, many botnet detection systems made a blacklist of known Command and control (C&C) domains to detect and block their traffic, so traditional detection systems will be bypassed because the blacklist is updated only after running and external process to discovery domain. As a response, botmasters have begun employing domain generation algorithm to dynamically produce a large number of random domains name and select a small subset for actual C&C to use. In this project, we develop 2 methods to detect domain fluxes. The first one aims at observing distribution of alphanumeric characters in domains then compares them with the distribution of legitimate domain characters. The second one is find a relationship between the detected resource (domain / IP) and the domain needed to predict.