CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data.
Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday.
Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks.
For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records.
As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy.
“There’s a bunch of software that are using DNS in a weird way,” Blasco said.
One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR.
Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up.
Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said.