Title: Understanding DNS-based Criminal Infrastructure for Informing Takedowns

Yacin Nadji

School of Computer Science

Georgia Institute of Technology

Date: Wednesday, July 15, 2015

Time: 10:00 am

Location: KACB Room 3126

Committee

----------------

Prof. Wenke Lee (Co-advisor, School of Computer Science, Georgia Institute of Technology)

Prof. Emmanouil Antonakakis (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology)

Prof. Douglas Blough (School of Electrical and Computer Engineering, Georgia Institute of Technology)

Prof. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)

Prof. Michael Bailey (Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign)

Abstract

--------------

Botnets are a pervasive threat to the Internet and its inhabitants. A botnet is a collection

of infected machines that receive commands from the botmaster, a person, group or nation-

state, to perform malicious actions. Instead of "cleaning" individual infections, one can sever

the method of communication between a botmaster and her zombies by attempting a botnet

takedown, which contains the botnet and its malicious actions.

Unfortunately, takedowns are currently performed without technical rigor nor are there

automated and independent means to measure success or assist in performing them. Our

research focuses on understanding the criminal infrastructure that enables communication

between a botmaster and her zombies in order to measure attempts at, and to perform,

successful takedowns. We show that by interrogating malware and performing large-scale

analysis of passively collected network data, we can measure if a past botnet takedown was

successful and use the same techniques to perform more comprehensive takedowns in the

future.