Malware Authors Turn to DNS Protocol as a Covert Channel

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Malware authors are using a new technique to keep their communications covert and evade detection: abusing the DNS protocol.

According to Fidelis Security, DNS command and control (C&C) and DNS exfiltration can be successful because DNS is an integral part of the internet's infrastructure. Most traffic analyzers don’t look at how the DNS protocol itself is being used, which provides an opportunity for a victim machine to communicate with the bad actor’s C&C server, often without even creating a continuous connection between the two. It’s not just theoretical either: Some malware is already using DNS in such ways, including the WTimeRAT and the Ismdoor Trojan, which was linked to the Shamoon campaign.

There are several ways criminals can use DNS as a covert channel for data transfer. For instance, an attacker could write code that can “sniff” specific DNS data coming from an infected host, so that there's no need to send the data to a specific domain. The attacker needs only to choose an encoding method and a way to pick out the data from the rest of DNS traffic.


In another example, an attacker could register a domain and configure a DNS server so that it will hold the registered domain records it receives.
Click to expand...
 
  • Like
Reactions: Faybert, Sunshine-boy and harlan4096
F

ForgottenSeer 58943


Correction to this. MOST appliances do examine and qualify DNS traffic now. This hole was plugged quite a few years back by many vendors, including Fortinet. DNS inspection (Port 53 DPI) is now enabled for most devices by default. These appliances are designed to examine DNS traffic for malformed/mangled/ surreptitious DNS traffic.

It's easy to test. Install a VPN that can use Port 53(DNS) for VPN activity then fire up the VPN. Does the traffic get detected? If yes, then your appliance is detecting Port 53 abuse. If not, then you should check your appliance for DNS bypass exclusions and/or DNS inspection policies. Then add to this, MOST IPS has DNS malformation rules. Including SNORT for PfSense, Untangle, etc. Which usually spots DNS malformation/manipulation (Port 53).

So this is really only a problem for consumers or businesses that cheap out on their security/IT. The first DNS malformation malware we've spotted goes back over a decade, so what's the excuse, right?
 
  • Like
Reactions: upnorth, Sunshine-boy and LASER_oneXM
1

128BPM

Level 2
Verified
Feb 21, 2018
90
I hope that Fortinet to develop devices for home networks.
That is, in the price range for domestic users.
 
You must log in or register to reply here.

Similar threads

X195
    • Like
Advice Request Help needed with DNS configuration
Replies
15
Views
984
AdGuard
Chuck57
Chuck57
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Security News KeyTrap attack: Internet access disrupted with one DNS packet
Replies
0
Views
1,102
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC
Replies
0
Views
1,225
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top