felix/master_thesis
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

finished notos; started exposure

Browse Source
This commit is contained in:
Felix Steghofer
2018-01-04 20:24:08 +01:00
parent d47217fd88
commit 0f10314bc8
19 changed files with 361 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Thesis/content/Abuse_of_Domain_Names/Abuse_of_Domain_Names.tex
View File

@@ -11,6 +11,15 @@ On May 12th 2017, British security researchers discovered a malware which was sp
This case shows an example of how domains can be used by attackers to control their software. Usually domains are more often used to connect to command and control servers or to communicate with other infected machines (see Section~\ref{sec:botnets}). To infect a machine, attackers often use so called \textit{droppers} or \textit{injectors} that do not ship the malicious code in the first hand but that are little programs to download further source code or binaries that contain the harming functionality. It is much easier for malware authors to use domains for this purpose instead of hard coding the IP addresses for many reasons: If machines that serve the down-loadable content are e.g. confiscated by the police or taken down for other reasons, domains can simply be pointed to a redundant server and such minimizing slow downs in the distribution of the malware. Reliable endpoints are also used to maintain the malicious software and load additional code. As domains are comparably cheap (starting at a few cents per year compared to at least \$ 10 for a dedicated IPv4 address a year), attackers can build a pool of many domains and such compensate take downs of some domain names. This could possibly change when IPv6 is widely adopted (with IPv6 addresses being much cheaper) but according to statistics of Google, only about 20\% of worldwide users accessing google where IPv6 enabled (natively or using IPv6 to IPv4 bridges) \fsCite{googlecom_ipv6adoption}. This imposes the usage of IPv6 as the primary protocol in malware for obvious reasons.
\todo{add somewhere here}
techniques like:
fast flux networks, domain flux networks, domain generation algorithm
((
Examples of malware that make use of such DGAs are Kraken/Bobax, the Srizbi bots and the Conficker worm
))
\subsection{Countermeasures}
\label{subsec:countermeasures}
@@ -39,7 +48,6 @@ A Botnet is a network of mostly computers infected with malicious software and c
\subsection{Architecture}
\label{subsec:architecture}
xl
\subsection{Discovery}
\label{subsec:botnets_discovery}