Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences

TL;DR

Domainator is a novel method that detects and differentiates DNS-tunneling malware by analyzing metadata sequences, enabling identification and behavioral inference without relying on easily altered features.

Contribution

It introduces a sequence pattern analysis approach for malware detection and differentiation based on DNS tunneling traffic, surpassing traditional feature-based methods.

Findings

Successfully identified 7 malware samples and tunneling tools.

Able to infer malware behavior from DNS tunneling artifacts.

Outperforms related detection methods.

Abstract

In recent years, malware with tunneling (or: covert channel) capabilities is on the rise. While malware research led to several methods and innovations, the detection and differentiation of malware solely based on its DNS tunneling features is still in its infancy. Moreover, no work so far has used the DNS tunneling traffic to gain knowledge over the current actions taken by the malware. In this paper, we present Domainator, an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools without relying on trivial (but quickly altered) features such as "magic bytes" that are embedded into subdomains. Instead, we apply an analysis of sequential patterns to identify specific types of malware. We evaluate our approach with 7 different malware samples and tunneling tools and can identify the particular malware based on its DNS traffic. We further infer the rough behavior of the particular malware through its DNS tunneling artifacts. Finally, we compare our Domainator with related methods.