By: ThreatLabz

Whitepaper: Botnet Analysis Leveraging Domain Ratio Analysis


While conducting stats and trends for last Quarter's "State of the Web" report, I found an interesting way of analyzing top-level domains (TLDs). I added the total number of web transactions involving a TLD for the month and divided it by the total number of unique domains within that TLD. In other words I calculated a ratio of Transactions:Unique Domains per TLD for each month and tracked this ratio. A low ratio means that the transactions were well distributed across the domains visited within that TLD. A ratio of 1:1 for example means that there was essentially 1 web transaction per unique domain visited. A very high ratio would indicate that there were a large number of transactions to one or more of the unique domains visited - suggesting that one or more popular domains dominated customer usage of that particular TLD.

By sifting through the records for the high-ratio results, some interesting information can be discovered. In some cases, high-ratios were caused by numerous transactions to a popular site or service, such as a popular social networking site in a particular ccTLD. However, high-ratios may also represent malicious command and control (C&C) or information drop servers that have a large number of transactions beaconing to them.

An example of a TLD that bubbled to the top was .LY. This domain had more than double the monthly ratio value of .COM. This high-ratio is explained by the TLD being relatively unpopular for our customers in terms of unique domains visited, but having a large number of transactions to a popular domain: BIT.LY, a URL shortening service.

Another TLD, .NU, had more than double the monthly ratio of .LY. After conducting analysis on the results, I detected that there were several customers beaconing to a .NU site over HTTP on port 53/TCP (generally used for DNS). Upon further investigation the customers were infected with a previously undetected variant of the Win32.PcClient Backdoor. The full research report of the detection methodology and incident analysis can be read HERE.

Learn more about Zscaler.