Login | Register

Malicious Payload Distribution Channels in Domain Name System


Malicious Payload Distribution Channels in Domain Name System

Kara, Abdullah Mert (2013) Malicious Payload Distribution Channels in Domain Name System. Masters thesis, Concordia University.

[thumbnail of Kara_MASc_S2014.pdf]
Text (application/pdf)
Kara_MASc_S2014.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Botmasters are known to use different protocols to hide their activities under the radar. Throughout the past years, several protocols have been abused and recently Domain Name System (DNS) also became a target of such malicious activities. In this dissertation, we analyze the use of DNS as a malicious payload distribution channel. To the best of our knowledge, this is the first comprehensive analysis of these payload distribution channels via DNS. We present a system to characterize such channels in the passive DNS (pDNS) traffic by modelling DNS query and response patterns. Then, we analyze the Resource Record (RR) activities of these channels to build their DNS zone profiles. Finally, we detect and assign levels of intensity for payload distribution channels by using a fuzzy logic theory. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of pDNS traffic. The experimental results reveal few long-running hidden domains used by Morto worm to distribute malicious payloads. We also found that some of these payloads are in cleartext, without any encoding or encryption. Our experiments on pDNS traffic indicate that our system can detect these channels regardless of the payload format.

Passive DNS is a useful data source for DNS based research, and it requires to be stored in a database for historical data analysis, such as the work we present in this dissertation. Once this database is established, it can be used for any sort of threat analysis that requires DNS oriented intelligence. Our aim is to create a scalable pDNS database, that contains potentially valuable security intelligence data. We present our pDNS database by discussing the database design, implementation challenges, and the evaluation of the system.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Kara, Abdullah Mert
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:December 2013
Thesis Supervisor(s):Debbabi, Mourad and Mannan, Mohammad
Keywords:DNS tunneling, passive DNS, malware
ID Code:978079
Deposited On:16 Jun 2014 20:12
Last Modified:18 Jan 2018 17:45
Additional Information:Final submission
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top