The malicious threats accessible via the Internet cannot be completely blocked by network administrators without severely curtailing a user's access to the Internet for legitimate purposes. In any large organization, it is inevitable that a user of an internal computer will install malware and compromise the security of the computer with malware which may, on its own, subsequently infect other computers of the organization's computer network. Some malware tries to extract valuable information from the compromised computer, and also, through the use of a botnet (a collection of “zombie” computers under control by malicious attackers), leverage the compromised computer to enhance the distributed botnet infrastructure associated with the malware. A botnet is an amalgamation of infected computers that differ in purpose and geographical location and as such the infected hosts have a variety of times when they are available to be contacted by malware.
To achieve this, the malware must communicate with the threat's instigator and signal that the computer has been compromised. The malware sets up a Command and Control channel (C&C) from the compromised internal computer to an external network infrastructure operated by the perpetrators. Once a line of communication is set up, the malware can hand over control of the computer to an unauthorized perpetrator, send valuable information accessible by the compromised host, or in turn become part of the network of compromised computers and facilitate the communication with other infected hosts.
As the malware and its delivery mechanisms change, it is necessary to consider networks as already compromised and invest resources into detecting where on the network the malware is located and the malware's communication destination. Once the C&C channel between compromised internal computer and external suspicious hosts is identified, the outbound communication can be cut, thereby protecting sensitive information and preventing the botnet from gaining additional resources. Details of any discovered C&C information can also be reported by responsible network administrators to security organizations so that other networks can pre-empt the same threat.
Although malware technology continually evolves in its attempts to avoid detection and being blocked, the malware still needs to find a way to communicate to the outside world to perform tasks for its controllers. A common initial step in the detection process is to perform Domain Name System (DNS) queries on static or dynamically generated domain names associated with a botnet. To identify the C&C channel, DNS messages are focused on to determine which Internet Protocol (IP) addresses and domain names pose the greatest risk of being under malware control. FIG. 1 shows an example dynamic DNS.
Malware uses DNS messages for several reasons: it is a universally used protocol and so malware C&C usage is hidden within a large volume of legitimate DNS queries; DNS is distributed and publically accessible which provides an easy and robust method for local malware to contact its external C&C servers; the DNS port is often open in firewalls, allowing compromised computers to become name servers under malware control in order to enhance the strength of the botnet; and DNS resource records can be added and updated frequently allowing the malware to find botnet servers while making detection and tracking by network security staff more difficult.
Even though botnets continue to evolve overtime to evade detection and countermeasures, malware can still function under many older C&C paradigms and so it is important for a comprehensive real-time solution to detect modern, older and unknown schemes in addition to new unknown evolving methods.