The persistent, pervasive badness on the internet is made possible by the existence of a vast, self-replenishing infrastructure of botnets. Cyber criminals go to great lengths to keep their botnets running at high efficiency.
ThirdCertainty asked Tim Helming, director of product management at Domain Tools, to outline how and why botnets continue to thrive—and what the good guys are doing to deter them. Here’s a summary of our discussion:
A typical botnet is composed of tens of thousands of infected computers communicating back to a single command-and-control server, from which a human attacker issues instructions.
Botnets are routinely instructed by their human controller to:
• Spread malware and infect more computers
• Carry out phishing, ransomware, account takeover, click fraud and denial of service attacks
• Siphon crown jewel data from business networks via advanced persistent threat (APT) attacks
Domain name game
Each command-and-control server and each infected computer, or bot, has an IP address and a domain name. The good guys have perfected blacklisting tools tuned to quickly identify and cut off any IP address or domain name previously observed carrying out malicious activity.
See also: Dark Web and Other Scary Cyber Trends
These blacklists are fed into firewalls, email gateways and intrusion prevention systems, forming a first line of defense that automatically blocks any known bad domains and IP addresses.
So the criminals counter by registering new, replacement domains en masse. Botnets run domain-generation algorithms (DGAs) that spit out fresh domain names composed of random alphanumeric strings, by the hundreds. “This lets them register new domains in bulk,” Helming says.
Additionally, botnets also get instructed to create domain names in recognizable word or word patterns. This is done when a domain name is needed that a human victim can read to fool someone as part of a phishing or ransomware attack.
Blacklists can only do so much. They are limited to blocking domains previously observed doing bad things. So Domain Tools also has come up with a reputation scoring system that assigns a risk score to each newly created domain.
Very new domains with alphanumeric names, for instance, get an elevated risk score. So do domain names that are slight misspellings of the official domain names of legitimate websites. A decision can then be made as to whether to block a new domain that seems benign before it is put to malicious use.
“We look at things like how old the domain name is, whether the domain name makes any sense linguistically,” Helming says. “Those are intrinsic properties that can show us domains that are tightly connected to bad ones, and also one-offs that might not have that connection.”
Predicting vs. detecting
Cyber criminals can get lazy. And the good guys are striving to capitalize on that trait. For instance, it still is a common practice for criminals to use quirky, bogus information to register domains—such as Superman, 123 Anywhere Lane, Anytown, USA, 11111—and then use that name and address over and over.
But detection technology is continually improving. Machine learning is being applied to not just identify such patterns, but also correlate them to other data. The goal is to help network defenders more accurately predict whether a domain is likely to commence malicious activity long before it does.
“Prediction is where everybody is trying to get,” Helming says. “Being able to predict badness is really important and really valuable. I call it looking back to look forward.”