Title: Understanding DNS-based Criminal Infrastructure to Perform Takedowns
Yacin Nadji
School of Computer Science
Georgia Institute of Technology
Date: Thursday, March 5, 2015
Time: 10:00 am
Location: KACB Room 3126
Committee
----------------
Prof. Wenke Lee (Co-advisor, School of Computer Science, Georgia Institute of Technology)
Prof. Emmanouil Antonakakis (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology)Prof. Douglas Blough (School of Electrical and Computer Engineering, Georgia Institute of Technology)Prof. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)Prof. Michael Bailey (Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign)
Abstract
--------------
Botnets are a pervasive threat to the Internet and its inhabitants. A botnet is a collectionof infected machines that receive commands from the botmaster, a person, group or nation-state, to perform malicious actions. Instead of "cleaning" individual infections, one can severthe method of communication between a botmaster and her zombies by attempting a botnettakedown, which contains the botnet and its malicious actions. Unfortunately, takedowns are currently performed without technical rigor nor are thereautomated and independent means to measure success or assist in performing them. Ourresearch focuses on understanding the criminal infrastructure that enables communicationbetween a botmaster and her zombies in order to measure attempts at, and to perform,successful takedowns. We show that by interrogating malware and performing large-scaleanalysis of passively collected network data, we can measure if a past botnet takedown wassuccessful and use the same techniques to perform m]]>