Malware Authors Turn to DNS Protocol as a Covert Channel

Written by

Malware authors are using a new technique to keep their communications covert and evade detection: abusing the DNS protocol.

According to Fidelis Security, DNS command and control (C&C) and DNS exfiltration can be successful because DNS is an integral part of the internet's infrastructure. Most traffic analyzers don’t look at how the DNS protocol itself is being used, which provides an opportunity for a victim machine to communicate with the bad actor’s C&C server, often without even creating a continuous connection between the two. It’s not just theoretical either: Some malware is already using DNS in such ways, including the WTimeRAT and the Ismdoor Trojan, which was linked to the Shamoon campaign.

There are several ways criminals can use DNS as a covert channel for data transfer. For instance, an attacker could write code that can “sniff” specific DNS data coming from an infected host, so that there's no need to send the data to a specific domain. The attacker needs only to choose an encoding method and a way to pick out the data from the rest of DNS traffic.

In another example, an attacker could register a domain and configure a DNS server so that it will hold the registered domain records it receives.

“Every time the victim (or anyone on the internet) sends a sub-domain query for a host that belongs to the registered domain, the query eventually will be delivered to the attacker’s DNS server,” explained researchers in a blog. “The data sent from the client (infected machine) goes through the DNS hierarchy, and no direct connection is made between it and the [C&C server]. In short, DNS is used as a proxy between the bot and its operator.”

DNS data transfer could be picked up if the operator were monitoring for an anomalous number of requests being made in a short time; however, Fidelis researchers pointed out that a careful attacker can quite easily work around it by pacing the request rate.

“Of course, for large data exfiltration this will take a lot longer and hardly practical, but for C&C operations its quite feasible,” they said.

What’s hot on Infosecurity Magazine?