Malware, short for “malicious software,” is software that is designed for hostile or intrusive purposes. For example, malware may be designed with the intent of gathering confidential information, denying or disrupting operations, accessing resources without authorization, and other abusive purposes. Types of malware include, for example, computer viruses, worms, trojan horses, spyware, adware, and botnets. Malware developers typically distribute their software via the Internet, often clandestinely. As Internet use continues to grow around the world, malware developers have more incentives than ever for releasing this software. In fact, studies indicate that the release rate of malicious software today could even be exceeding that of legitimate software.
Botnets are one example of malware that have become a major security threat in recent years. A botnet is a network of “innocent” host computers that have been infected with malicious software in such a way that a remote attacker is able to control the host computers. The malicious software used to infect the host computers is referred to as a “bot,” which is short for “robot.” Botnets operate under a command and control (C&C) architecture, where a remote attacker is able to control the infected computers, often referred to as “zombie” computers. An attacker may control the infected computers to carry out online anti-social or criminal activities, such as e-mail spam, click fraud, distributed denial-of-service attacks (DDoS), or identity theft.
FIG. 1 illustrates an exemplary C&C architecture of a botnet 100. The botnet master 101, often referred to as a “botmaster” or “bot herder,” distributes malicious bot software, typically over the Internet 102. This bot software stores an indication of a future time and of domain names to contact at the indicated future time. The bot software infects a number of host computers 103 causing them to become compromised. Users of host computers 103 typically do not know that the bot software is running on their computers. Botnet master 101 also registers temporary domain names to be used as C&C servers 104. Then, at the indicated future time, the bots instruct host computers 103 to contact C&C servers 104 to get instructions. The instructions are sent over a C&C channel via the Internet 102. The ability to send instructions to host computers 103 provides botnet master 101 with control over a large number of host computers. This enables botnet master 101 to generate huge volumes of network traffic, which can be used for e-mailing spam messages, shutting down or slowing web sites through DDoS attacks, or other purposes.
Botnets exploit the domain name system (DNS) to rally infected host computers. The DNS allows people using the Internet to refer to domain names, rather than Internet Protocol (IP) addresses, when accessing websites and other online services. Domain names, which employ text characters, such as letters, numbers, and hyphens (e.g., “www.example.com”), will often be easier to remember than IP addresses, which are numerical and do not contain letters or hyphens (e.g., “128.1.0.0”). The DNS is the Internet's hierarchical lookup service for mapping character-based domain names meaningful to humans into numerical IP addresses.
Domains exist at various different levels within the DNS hierarchy. For example, a generic top-level domain (gTLD), such as .com or .net, is a domain at the highest level in the DNS hierarchy. Another type of TLD is a country-code top-level domain (ccTLD) such as, for example, “.uk.” A second-level domain (SLD) is a subdomain of a TLD (including gTLD and ccTLD), which is directly below the TLD in the DNS hierarchy. For example, “corn” is the TLD and “example” is the SLD for the domain name “www.example.com.” An “n-level” domain can indicate any level of domain, including top-level, second-level, etc.
Botnets exploit the DNS by pervasively registering domain names to be temporarily used as C&C servers 104. Domain name registration is the process by which a “Registrant” (typically an individual user or an organization) can reserve or lease the use of a domain name for a specified period of time from the date of registration. The Registrant may reserve the domain name in units of months or years, but typically between one and ten years. Domain names are reserved through domain “Registrars.” Registrars are entities having business relationships with domain “Registries,” which control the domain names and maintain a domain name database for a particular TLD. Thus, a Registrar provides the interface by which a Registrant can reserve or lease a domain name from a Registry. The Registry manages the reserved names and available names for a particular TLD and makes available certain information to the Registrar through the Extensible Provisioning Protocol (EPP). Registrars that are authorized by the Registry have the ability to check, create, update, delete, renew, transfer, and get information for domain names through the EPP. The Registry provides the EPP as a communications gateway to Registrars for such purposes.
In a typical domain name registration example, a Registrant may want to reserve the domain name “example.com.” The Registrant would contact a Registrar that has a business relationship with the Registry that operates the .com TLD. For example, the company GoDaddy is a known Registrar, and the company Verisign is a known Registry. The Registrant would query the Registrar as to the availability of the domain name “example” in the .com namespace. The Registrar in turn would query the proper Registry for the .com TLD through the EPP, and then return the results to the Registrant. The Registrant may then obtain a registration of the domain name by paying a registration fee and providing information required by the Registry and Registrar. The Registry charges the Registrar for the domain name registration and the Registrar collects the registration fee from the Registrant.
To maintain a domain name in accordance with current regulations, the Registry responsible for a TLD is required to maintain a certain minimum amount of information associated with the domain name to ensure proper identification, security features, and operability associated with the domain name. For example, domain Registrars may be required to make available to the Registry current domain contact information. Also, in order for a domain name to work correctly, the Registry must have nameserver information for the domain to load into its TLD DNS system to refer outside DNS requests to the proper authoritative DNS servers. Also, to prevent accidental changes to the domain name settings, certain status codes are available to put various levels of protection on the domain name.
Status codes are designations that can be assigned and removed by the Registry or the Registrar of a domain name. Status codes may provide security for a domain name to prevent, for example, the domain name from being accidently transferred or deleted. These status codes are stored in the registry database and associated with respective domain names. The available status codes that can be returned by the EPP system for domain name provisioning are defined as “status values” in the standards described in RFC5731 (referred to as “the standards”). When a Registry sets a status code, it is designated a “server” code. And when a Registrar sets a status code, it is designated a “client” code.
Many botnet masters pervasively register domain names to be temporarily used as botnet command and control (C&C) servers and then dynamically change the IP addresses associated with the domain names to avoid detection. Infecting host computers with bots containing domain names of the botnet C&C servers allows the host computers to contact the appropriate C&C servers through DNS resolution, even if the IP addresses of the C&C servers have changed. Thus, bots may locate botnet C&C servers according to their domain names, rather than their IP addresses. Some botnets frequently change the domain names they use for resolution, and these domain names may even be randomly assigned.
Often, botnet masters use an algorithm to register various permutations of a single domain name theme (e.g., “www.example.com,” “www.1example.com,” “www.example1.com,” etc.). Botnet masters can use algorithms to create a very large number of domain names for registration under a particular theme.
Approaches have been taken to prevent botnet masters from perpetuating a domain name theme across the Internet. In one approach, a Registry receives a list of suspicious domain names from a concerned entity, which could include law enforcement, Registrars, legal entities, etc. Upon receipt, the Registry would then register to itself as many possible permutations of each suspicious domain name as it can, so that no botnet master can register them. The Registry, however, cannot possibly scale the very large number of domain names that botnet masters can create.
As botnet domain names can change quickly over time, preventing or removing the suspicious domain names from the DNS zone as quickly as possible becomes important. And Registries may find registering every possible permutation of a suspicious domain name difficult and expensive to implement. Registries would therefore benefit from a scalable approach that analyzes domain names at the registration stage to protect the DNS zone from botnets.
Some approaches to protecting the DNS zone have included blocking the registration of a suspicious domain name altogether. In this approach, a Registrar sends a registration request for a domain name that may not yet exist (e.g., “www.hypothetical.com”) to a Registry. The Registry receives this “Domain Create” request typically through EPP, which provides the communication link between Registries and Registrars during domain name registration.
Upon receipt of the “Domain Create” request, the Registry compares the requested domain name to a list of suspicious domain names. If the requested domain name appears on the list, or resembles a name on the list, the Registry rejects the “Domain Create” request and returns an error message to the Registrar. The Registry does not allow the requested domain name to be added to the DNS zone. However, with this procedure the Registry also does not store information regarding the requested domain name in any database.
This approach fails to continuously monitor a specific suspicious domain name and fails to track any information on the Registrar and Registrant that attempted to register the suspicious domain name. The Registry is unable to provide to law enforcement or other agencies any information on the rejected domain name's registration.