Hiding fast flux botnet in plain email sight

Abstract

Fast flux and domain flux are widely used as evading techniques to conceal botnet C&C server. But nowadays, more and more machine learning schemes are introduced to recognize and detect fluxing botnet automatically and effectively. In this paper, we propose a novel fluxing scheme to hide C&C server in plain email sight. Email flux tries to blend in with normal email communication. With the excellent reputation of email servers, the malicious activity is more likely to get lost in the normal email crowd. Therefore, DNS-based botnet detection schemes are difficult to detect the email flux botnet. Comparing to the cost of registering a public IP address or a domain, the cost of registering an email account is much less, and email account reveals less geolocation information. And we introduce asymmetric encryption strategy to fortify DGA, preventing adversaries from taking down the botnet by registering email account before bot master. We also discuss possible countermeasures in the future to mitigate email flux.