May 10 – 11, 2014
Sofitel Warsaw Victoria
Europe/Warsaw timezone

Detecting and Clustering Botnet Domains Using DNS Traffic

May 11, 2014, 2:40 PM
Opera (Sofitel Warsaw Victoria)


Sofitel Warsaw Victoria

11 Królewska Street 00-065 Warsaw
Public Workshop


Matthew Thomas (Verisign)


In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Primary authors

Dr Aziz Mohaisen (Verisign Labs) Matthew Thomas (Verisign)

Presentation materials