worm blog: Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners

« Spatial-Temporal Modeling of Malware Propagation in Networks | Main | New Worm: Dasher »

Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners

I've posted about mass-mailer detection using DNS queries before, and it still strikes me as a very efficient and elegant way to detect many mass-mailers on a typical enterprise network. Does anyone here have any pointers to any DNS monitoring tools or patches to BIND that they like for this sort of thing?

We have developed a new indirect virus detection system that detects IP addresses of the mass mailing worm (MMW)-infected PCterminals for learners by only watching the domain name system (DNS) query traffic between the DNS server and the PC terminals.

Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners, Yasuo Musashi, Ryuichi Matsuba, and Kenichi Sugitani.

December 15, 2005 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

My company has provided detection for MX queries that originate from computers that are not DNS servers or mail servers for quite some time. Indeed, it was found to be quite successful in detecting and blocking MMVs.

Posted by: Yaniv | Dec 15, 2005 11:39:13 AM

hi i need some helpi am looking for research papers on the topic of automated worm and signature detection. its for a class assignement, i am completely new to this feild and i have no idea how to go aobut and where to look, well i think ican mange the show oncei read a few papers, but unfortuantly i cant find any papers. the ones i found: i.e.
1. Autograph: Toward Automated, Distributed Worm Signature Detection 2. Low level network attack recognition 3. Efficient Batch signature generation using tree structure 4. Anomalous Payload-based Worm Detection and Signature Generation
were allready taken by other students, now i am left wih no alternative but turn to you guys for help, all i want is 2 research papers and may be 2 whitepapers, so i can go head a work on them. i know i am asking for to much but i dont know what to do, i am completely ignorant. please help me i have only 2 days left :(

Please...
thanks
manesh Saini

Posted by: Manesh Saini | Dec 17, 2005 3:30:24 PM

Hi,
This is a very late comment, but I found this entry today.
I wrote a paper entitled
"Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data", which is inspired by the paper of this entry.
http://www.sigcomm.org/sigcomm2005/paper-IshToy.pdf

I think the proposed method can be applied for botnet detection.

Comments are appreciated!
Thanks.

Posted by: Keisuke Ishibashi | Mar 9, 2006 10:09:54 AM

The comments to this entry are closed.