Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Whitepaper: Botnet Analysis Leveraging Domain Ratio Analysis

March 29, 2010 - 2 min read
ImageWhile conducting stats and trends for last Quarter's "State of the Web" report, I found an interesting way of analyzing top-level domains (TLDs). I added the total number of web transactions involving a TLD for the month and divided it by the total number of unique domains within that TLD. In other words I calculated a ratio of Transactions:Unique Domains per TLD for each month and tracked this ratio. A low ratio means that the transactions were well distributed across the domains visited within that TLD. A ratio of 1:1 for example means that there was essentially 1 web transaction per unique domain visited. A very high ratio would indicate that there were a large number of transactions to one or more of the unique domains visited - suggesting that one or more popular domains dominated customer usage of that particular TLD.

By sifting through the records for the high-ratio results, some interesting information can be discovered. In some cases, high-ratios were caused by numerous transactions to a popular site or service, such as a popular social networking site in a particular ccTLD. However, high-ratios may also represent malicious command and control (C&C) or information drop servers that have a large number of transactions beaconing to them.

An example of a TLD that bubbled to the top was .LY. This domain had more than double the monthly ratio value of .COM. This high-ratio is explained by the TLD being relatively unpopular for our customers in terms of unique domains visited, but having a large number of transactions to a popular domain: BIT.LY, a URL shortening service.

Another TLD, .NU, had more than double the monthly ratio of .LY. After conducting analysis on the results, I detected that there were several customers beaconing to a .NU site over HTTP on port 53/TCP (generally used for DNS). Upon further investigation the customers were infected with a previously undetected variant of the Win32.PcClient Backdoor. The full research report of the detection methodology and incident analysis can be read HERE.
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.