Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

Hiding Fast Flux Botnet in Plain Email Sight

Download
687 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-78816-6_14,
        author={Zhi Wang and Meilin Qin and Mengqi Chen and Chunfu Jia},
        title={Hiding Fast Flux Botnet in Plain Email Sight},
        proceedings={Security and Privacy in Communication Networks. SecureComm 2017 International Workshops, ATCS and SePrIoT, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM \& ATCS \& SEPRIOT},
        year={2018},
        month={4},
        keywords={Fast flux Domain flux Botnet Command and control channel Evasion technique},
        doi={10.1007/978-3-319-78816-6_14}
    }
    
  • Zhi Wang
    Meilin Qin
    Mengqi Chen
    Chunfu Jia
    Year: 2018
    Hiding Fast Flux Botnet in Plain Email Sight
    SECURECOMM & ATCS & SEPRIOT
    Springer
    DOI: 10.1007/978-3-319-78816-6_14
Zhi Wang1, Meilin Qin1, Mengqi Chen1, Chunfu Jia1,*
  • 1: Nankai University
*Contact email: cfjia@nankai.edu.cn

Abstract

Fast flux and domain flux are widely used as evading techniques to conceal botnet C&C server. But nowadays, more and more machine learning schemes are introduced to recognize and detect fluxing botnet automatically and effectively. In this paper, we propose a novel fluxing scheme to hide C&C server in plain email sight. Email flux tries to blend in with normal email communication. With the excellent reputation of email servers, the malicious activity is more likely to get lost in the normal email crowd. Therefore, DNS-based botnet detection schemes are difficult to detect the email flux botnet. Comparing to the cost of registering a public IP address or a domain, the cost of registering an email account is much less, and email account reveals less geolocation information. And we introduce asymmetric encryption strategy to fortify DGA, preventing adversaries from taking down the botnet by registering email account before bot master. We also discuss possible countermeasures in the future to mitigate email flux.