Bestehen Bedenken im Hinblick auf VPN-Sicherheitslücken? Erfahren Sie, wie Sie von unserem VPN-Migrationsangebot inklusive 60 Tagen kostenlosem Service profitieren können.

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Whitepaper: Botnet Analysis Leveraging Domain Ratio Analysis

image
THREATLABZ
März 29, 2010 - 2 Lesezeit: Min
ImageWhile conducting stats and trends for last Quarter's "State of the Web" report, I found an interesting way of analyzing top-level domains (TLDs). I added the total number of web transactions involving a TLD for the month and divided it by the total number of unique domains within that TLD. In other words I calculated a ratio of Transactions:Unique Domains per TLD for each month and tracked this ratio. A low ratio means that the transactions were well distributed across the domains visited within that TLD. A ratio of 1:1 for example means that there was essentially 1 web transaction per unique domain visited. A very high ratio would indicate that there were a large number of transactions to one or more of the unique domains visited - suggesting that one or more popular domains dominated customer usage of that particular TLD.

By sifting through the records for the high-ratio results, some interesting information can be discovered. In some cases, high-ratios were caused by numerous transactions to a popular site or service, such as a popular social networking site in a particular ccTLD. However, high-ratios may also represent malicious command and control (C&C) or information drop servers that have a large number of transactions beaconing to them.

An example of a TLD that bubbled to the top was .LY. This domain had more than double the monthly ratio value of .COM. This high-ratio is explained by the TLD being relatively unpopular for our customers in terms of unique domains visited, but having a large number of transactions to a popular domain: BIT.LY, a URL shortening service.

Another TLD, .NU, had more than double the monthly ratio of .LY. After conducting analysis on the results, I detected that there were several customers beaconing to a .NU site over HTTP on port 53/TCP (generally used for DNS). Upon further investigation the customers were infected with a previously undetected variant of the Win32.PcClient Backdoor. The full research report of the detection methodology and incident analysis can be read HERE.
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.