How botnets use 'bullet-proof' domains

Researchers find clues as to how switching servers behind hard-coded domain names keeps criminals in business.

Botnets are proving to more resilient and harder to shut down.

That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).

The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.

The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.

The authors also found some botnets to be "promiscuous," harboring hundreds of domain names associated with them.

The information in the report has been shared previously with industry groups such as Forum for Incident Response and Security Teams and Internet Corporation for Assigned Names and Numbers (ICANN). This is the study's first public availability, and it was released to coincide with Malware 2008, which is being held Tuesday and Wednesday in Alexandria, Va.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.


    Discuss How botnets use 'bullet-proof' domains

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Articles from CNET
    The truth about Ultra HD 4K TV refresh rates