Malware Authors Turn to DNS Protocol as a Covert Channel

[LASER_oneXM]

Malware authors are using a new technique to keep their communications covert and evade detection: abusing the DNS protocol.

According to Fidelis Security, DNS command and control (C&C) and DNS exfiltration can be successful because DNS is an integral part of the internet's infrastructure. Most traffic analyzers don’t look at how the DNS protocol itself is being used, which provides an opportunity for a victim machine to communicate with the bad actor’s C&C server, often without even creating a continuous connection between the two. It’s not just theoretical either: Some malware is already using DNS in such ways, including the WTimeRAT and the Ismdoor Trojan, which was linked to the Shamoon campaign.

There are several ways criminals can use DNS as a covert channel for data transfer. For instance, an attacker could write code that can “sniff” specific DNS data coming from an infected host, so that there's no need to send the data to a specific domain. The attacker needs only to choose an encoding method and a way to pick out the data from the rest of DNS traffic.


In another example, an attacker could register a domain and configure a DNS server so that it will hold the registered domain records it receives.

 

[ForgottenSeer 58943]

Correction to this. MOST appliances do examine and qualify DNS traffic now. This hole was plugged quite a few years back by many vendors, including Fortinet. DNS inspection (Port 53 DPI) is now enabled for most devices by default. These appliances are designed to examine DNS traffic for malformed/mangled/ surreptitious DNS traffic.

It's easy to test. Install a VPN that can use Port 53(DNS) for VPN activity then fire up the VPN. Does the traffic get detected? If yes, then your appliance is detecting Port 53 abuse. If not, then you should check your appliance for DNS bypass exclusions and/or DNS inspection policies. Then add to this, MOST IPS has DNS malformation rules. Including SNORT for PfSense, Untangle, etc. Which usually spots DNS malformation/manipulation (Port 53).

So this is really only a problem for consumers or businesses that cheap out on their security/IT. The first DNS malformation malware we've spotted goes back over a decade, so what's the excuse, right?

 

[128BPM]

I hope that Fortinet to develop devices for home networks.
That is, in the price range for domestic users.