MIAMI BEACH–The security teams that have to defend enterprise networks are faced with a broad and deep threat landscape populated with all manner of malware and targeted attacks. Those teams often have to react quickly to new threats, well before vendors respond with new technologies. By the look of things on the offensive side of the ball, much of which is on display at the Infiltrate conference here, things are not likely to get any easier for network defenders anytime soon.

The ability to adapt quickly to new kinds of threats is an essential part of the defender’s job these days, but the difficulty is that it’s a constantly moving target. Once a new threat or kind of malware emerges and security teams begin to react, it doesn’t take much for the attackers to modify their techniques and bypass whatever new defenses have been put in place. Some of these changes don’t take much doing, but in other cases there are entirely new techniques on the horizon that look like they could change things for some time to come.

One example is an attack described at Infiltrate by Alberto Garcia Illera, a secuity researcher and penetration tester from Spain, who detailed a method for using the DNS protocol as a method for not just communicating with malware on an infected machine, but also for getting the malware onto the machine in the first place and then to exfiltrate the stolen data later in the operation. This technique offers a number of advantages for the attacker, most notably the luxury of a huge target base. Unlike some other services or protocols, DNS is enabled everywhere.

“DNS is almost always allowed. Every machine has a tool to do make DNS requests,” Illera said.

Once an attacker has gotten an initial foothold onto a target machine, whether through a trigger in a spear-phishing email or some other technique, he can use Illera’s tactic to reach out to a third-party DNS server the attacker controls. The request can be split into many individual pieces, each of which requests a portion of the malware, which is then assembled on the target machine. This can be done through the use of a script, Illera said.

Once on the machine, the malware, which Illera refers to generically as a DNS RAT, continues to use DNS as the communication channel to stay in touch with the remote server and receive commands. Illera said that the tool he built is completely customizable and new modules can be built as needed.

In addition to Illera’s talk, a pair of researchers also showed off a new technique they developed that allows them to embed a specially crafted TrueType font into an Office document and exploit a vulnerability to gain control of a vulnerable machine. Lee Yee Chan and Ling Chuan Lee discussed their work on fuzzing TrueType fonts and then showed how a vulnerability they discovered during this process could be used for local privilege escalation on Windows 8 machines.

These are not the kind of attack vectors that most enterprise security teams are used to dealing with, and they may just be the surface of what’s happening in both the legitimate and underground research communities. Defenders will adapt, as they always do, and the researchers and attackers will then counter, as they always do.

Categories: Malware

Comments (2)

  1. Anonymous

    Gee, defenders have adapted a long time ago with split-DNS. The need of transfering the 2nd stage of the attack via DNS is also very seldom, e.g. if there’s a size limit in initial exploit. Finally there’s a metasploit payload which does exactly that: reverse_tcp_dns, so nothing new here, move on.

  2. Anonymous

    The Alberto speek was not impressive becuse of the use of DNS. It was impressive because he developed a modular RAT that anyone can use to create your own malware in a couple of hours using his framework. In addition he explains the use of DNSSEC to comunicate with the infected system and do everything anonymously.

    His talk was one of the best that I saw in Infiltrate.

Comments are closed.