How botnets use 'bullet-proof' domains
Researchers find clues as to how switching servers behind hard-coded domain names keeps criminals in business.
are proving to more resilient and harder to shut down.
That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).
The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.
The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.
The authors also found some botnets to be "promiscuous," harboring hundreds of domain names associated with them.
The information in the report has been shared previously with industry groups such as Forum for Incident Response and Security Teams and Internet Corporation for Assigned Names and Numbers (ICANN). This is the study's first public availability, and it was released to coincide with Malware 2008, which is being held Tuesday and Wednesday in Alexandria, Va.