Researchers from Georgia Institute of Tech developed a prototype tool called ExecScent to identify Malware traffic connecting to command and control center. Based on the reports ExecScent discovers hundreds of infected hosts which was not known earlier. The tool uses intelligence to identify bad traffic over the good traffic.
If this tool works and is available to security researchers then it can be a game changer for tons of botnets that’s sitting on the wild. This may eventually lead to a enterprise product and time may tell more about it.
The prototype presented during USENIX Security ’13 explaining mining for new C&C domains in live networks with adaptive control protocol templates by Terry Nelms, Damballa, Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Mustaque Ahamad, Georgia Institute of Technology and New York University Abu Dhabi
As per GIT “ The team presented ExecScent, a novel system that aims to mine new, previously unknown C&C domain names from live enterprise network traffic. ExecScent automatically learns control protocol templates (CPTs) from examples of known C&C communications. These CPTs are then adapted to the “background traffic” of the network where the templates are to be deployed. The goal is to generate hybrid templates that can self-tune to each specific deployment scenario, thus yielding a better trade-off between true and false positives for a given network environment. To the best of our knowledge, ExecScent is the first system to use this type of adaptive C&C traffic models.
We implemented a prototype version of ExecScent, and deployed it in three different large networks for a period of two weeks. During the deployment, we discovered many new, previously unknown C&C domains and hundreds of new infected machines, compared to using a large up-to-date commercial C&C domain blacklist. Furthermore, we deployed the new C&C domains mined by ExecScent to six large ISP networks, discovering more than 25,000 new infected machines.