The Future of Takedowns

Botnet takedowns do not typically result in a safer Internet. At Damballa, we have technology that can help make takedowns more effective and, in turn, better protect end users. But there are still many open questions that must be addressed.

How to Take Down a Botnet, Damballa Style

The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.

Learning from DNS

If you step back and examine the domain names that are observed in almost any network, you could roughly categorize them in three main pseudo-classes: dead, alive, and about to be born. In loose technical terms, dead are those domain names that are parked or simply get pointed to a sinkhole.

When malware is not enough…

Typically, when security companies or threat research labs announce the discovery of a new threat, the discovery entails the capture of never-seen-before-malware and the subsequent reverse-engineering of the malware and/or running it in a sandbox/VM to observe its host infection and network communication behavior.

The Intricacies of Sinkholes

...not only were we able to identify the malware family, but we were flooded with tens-of-thousands of inbound C&C connections! If our statistical analysis was anywhere near correct, then this particular botnet is probably in the hundreds-of-thousands of victims worldwide..

The Magic of DGA Discovery

Malware that uses domain generation algorithms (DGA) to locate their command and control infrastructure and upload their stolen data are designed to evade all those conventional prevention technologies.

DGA's vs Automated Malware Signature Generation

Take for instance the idea of automatically processing malware within a virtualized host, capturing the network traffic that's generated, automatically generating an IDS signature for the malicious traffic, and then deploying the signature to a network protection platform. It sounds so enticingly simple - almost elegant. So why isn't everyone doing this? Why aren't we protected from malware?

Domain Generation Algorithms (DGA) in Stealthy Malware

Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the badguys C&C servers, it used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.