Abstract
Conference Title: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS) Conference Start Date: 2014, March 30 Conference End Date: 2014, April 2 Conference Location: Dubai, United Arab Emirates Malware families utilize different protocols to establish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families. [PUBLICATION ABSTRACT]