SinkMiner: Mining Botnet Sinkholes for Fun and Profit

摘要: Botnets continue to pose a significant threat Internet security, and their detection remains focus of academic industry research. Some the most successful botnet measurement remediation efforts rely heavily on sinkholing botnet’s command control (C&C) domains [1]. Essentially, consists re-writing DNS resource records C&C point one or more sinkhole IP addresses, thus directing victim communications operator (e.g., law enforcement). Sinkholes are typically managed in collaboration with domain registrars and/or registries, owner network range where is sinkholed. Registrars often play critical role remediating abusive by invoking rapid take-down terms commonly found registration contracts, such as “Uniform Rapid Suspension System” [3]). Collaboration owners needed endure possible reputation damage space, since sinkholes may appear real C&Cs others. While some IPs publicly known can be easily discovered (see Section 2.1), jealously kept trade secrets operators, protect proprietary black lists remediated domains. Therefore, third-party researchers unable distinguish between malicious sites pointed sinkholes. In cases, this stove-piping information cause “friendly fire”, whereby security operators enforcement take down an already sinkholed C&C. This results disrupting efforts, cases bring harm victims (whose infected clients turn secondary backup not being remediated). It therefore useful build technologies capable identifying whether part effort. paper, we present SinkMiner, novel forensics system that enables discovery previously unknown related efficiently mining large passive databases. Being able discover “secretive” operations has both benign not-so-benign implications. On purely side, labeling prevent fire,” mentioned above. Also, enable much precise effective lifetime other hand, ability identify allow less-than-honest collect all domains, which could then re-sold thirdparties blacklist, unfairly taking advantage very meticulous costly work done operator. Our system’s detect based somewhat surprising empirical observation: relocate from another 2.2). given small seed IPs, leverage databases monitor “behavior” track they — effectively discovering “by association” stark contrast what common knowledge suggest, namely once falls into it will never escape until expires “retired” operator, making