C. Dietrich, C. Rossow, F. Freiling, H. Bos, M. van Steen, N. Pohlmann:
“On Botnets that use DNS for Command and Control”,
Proc. European Conf. Computer Network Defense (EC2ND 2011),
We document reverse engineering efforts on a botnet that uses the Domain Name System (DNS) protocol as the prior mechanism for command and control. Based on our insights, we discuss challenges when using DNS as botnet C&C and design a classification method that can detect such malicious botnet C&C in real network traffic.
In addition, we provide a technique for the classification of malware samples based on their DNS traffic and behavior.
A botnet is a set of computers that are infected with a specific malicious software that allows these computers to be remote controlled via protocols like IRC or HTTP. Botnets have become one of the biggest security issues
on the Internet imposing a large variety of threats to Internet users. Therefore, organizations have keen interest to keep the number of bot infections low. Since the remote command and control channel (C&C) is a defining characteristic of botnets, techniques have been developed to detect bot infections by identifying the C&C network traffic. This has been (partly) successful, e.g. for IRCbased  or HTTP-based botnets . After detection, the infected host may be put into quarantine or even disinfected.
Advances in malware research have challenged botnet operators to improve the resilience of their C&C traffic. Partly, this has been achieved by moving towards decentralized structures (like P2P) or by otherwise obfuscating and even encrypting communication [2, 3, 7, 8, 13, 14]. This makes it harder for researchers to distinguish malicious from benign traffic, albeit not impossible. It was only a question of time when botnets would use communication that was theoretically even harder to detect, namely the use of covert channels, i.e. communication channels that were not intended for communication at all.