Mobile devices have widespread to become the most used piece of technology. Due to their characteristics, they have become major targets for botnet-related malware. FluBot is one example of botnet malware that infects mobile devices. In particular, FluBot is a DNS-based botnet that uses Domain Generation Algorithms (DGA) to establish communication with the Command and Control Server (C2). MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. It was created with the goal of processing streams of packets to identify attacks with high efficiency, in the distinct phases. MONDEO was tested against several datasets to measure its efficiency and performance, being able to achieve high performance with RandomForest classifiers. The implementation is available at github.

翻译：移动设备已广泛普及，成为最常用的技术设备。由于其特性，它们已成为与僵尸网络相关恶意软件的主要攻击目标。FluBot是感染移动设备的僵尸网络恶意软件的一个例子。具体而言，FluBot是一种基于DNS的僵尸网络，它使用域名生成算法（DGA）与命令与控制服务器（C2）建立通信。MONDEO是一种具有灵活设计的多阶段机制，用于检测基于DNS的僵尸网络恶意软件。MONDEO轻量级且无需在移动设备上部署软件、代理或进行配置，可轻松集成到核心网络中。MONDEO包含四个检测阶段：黑名单/白名单、查询速率分析、DGA分析和机器学习评估。其创建目标是处理数据包流，以在不同阶段高效识别攻击。MONDEO在多个数据集上进行了测试以衡量其效率和性能，并能够通过RandomForest分类器实现高性能。该实现可在GitHub上获取。