1. Field of the Invention
Embodiments of the present invention generally relate to computer security. Particularly, embodiments of the present invention relate to a method and apparatus for disrupting the command and control infrastructure of hostile programs.
2. Description of the Related Art
People use computers and computer networks to perform various activities. Unfortunately, computers and computer networks are susceptible to attacks from hackers. Hackers use hostile programs (e.g., malware, botnets, backdoors, Trojans, worms, and the like) to interrupt the performance of such activities and pose significant threats to the stability of a user's computer and security of a user's data.
Hackers employ various deceptive and/or intrusive techniques to store and/or unleash hostile programs on vulnerable computers. Some hostile programs use a computer network to attack and exercise command and control over the infrastructure of numerous computers. For example, botnets are collections of compromised computers under a common command and control infrastructure. The botnet could be established to use the common command and control infrastructure to spread SPAM or viruses throughout a network such as the Internet.
Advanced threats, such as botnets, use statically embedded DNS Fully Qualified Domain Names (FQDN) as well as static Internet Protocol (IP) addresses within malicious programs as a technique to facilitate the command and control of compromised victim computers from remote locations. Recent intelligence indicates that hackers have shifted from employing mobile malware (i.e., malicious software agents that compromise one victim computer and distribute themselves to multiple other vulnerable computers coupled to the victim computer) to focusing their attacks on vulnerable computers. Focused attacks such as email borne attacks allow hackers to exploit the vulnerabilities of specific users rather than the vulnerabilities of specific network assets.
For example, a hacker of ordinary skill in the art of computer programming can develop custom backdoors that utilize reverse shells (i.e., reverse connections) to circumvent a firewall or any other layer of security for an enterprise. In most cases, when a hacker has successfully compromised a vulnerable computer, a hostile binary (e.g., Trojan, worm, rootkit, and the like) is left in the memory as a means for the hacker to control the compromised computer. For the most part, the hostile binary code will make an outbound request utilizing local or remote DNS services to broker a follow on connection (e.g., TCP connection) and/or locate a destination in which to pass UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) if the hacker chooses non-standard protocols for surreptitious command and control of the compromised computer.
Hackers are constantly polling live update services (e.g., Antivirus Live Update provided by SYMANTEC Corporation) for up-to-date security programs to ensure that their hostile binary code remains undetected. Once detected, these hackers slightly modify the code just enough so that the modified hostile binary code evades detection and continues to compromise the victim computer. For example, the hacker can map the controlling domain name to another IP address through Dynamic Domain Name System (DNS) services. It is difficult, however, for the hackers to modify and/or reconstitute their infrastructure (i.e., the modified hostile binary code uses the same controlling domain despite the different IP address).
Therefore, there is a need in the art for a method and apparatus for disrupting the command and control infrastructure of hostile programs.