[MART] - Daily Diary #391 - DNS Tunneling

CTAS-MAT ctas-mat at appgate.com
Tue Nov 16 21:02:10 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

11/16/2021 - Diary entry #391

Today we are going to talk about a technique heavily used by Rootkit malware to disguise their network connections, DNS tunneling.

DNS queries are used by almost every computer connected to the internet. Simplifying, a DNS works as a hierarchical and decentralized name database. When you try to access a domain, let's say google.com, your system will make a DNS query request to the DNS server to retrieve the IP address for that domain. If that DNS server doesn't know that domain, it will ask another DNS server higher in the hierarchy and so on, until the domain IP address is recovered or everyone in the hierarchy answers the domain is unknown. That process is what we call DNS resolution. One important factor in DNS resolution is the hierarchy, so if you try to resolve a sub-domain, the DNS query will be redirected to the domain server. For instance, when you resolve mail.google.com it will ask the DNS servers on google.com where mail.google.com is.

This explanation is very resumed, but it gives an idea of how DNS resolution works. Malware has abused DNS resolutions to communicate stealthily since the early 2000, and it remains used specially by Rootkit nowadays. By creating special crafted DNS requests to their own domains, the malware doesn't open a connection to the malicious server directly, but makes a common request to the machine's already trusted DNS server, and so the packets will reach the malicious server once the DNS server tries to solve that domain.

As an example, one sample analyzed by our team used DNS tunneling to exfiltrate data by adding chunks of data to the sub-domain, and making several requests, like 0.<chunk0>.domain.com, 1.<chunk1>.domain.com, and so on. On the C&C side, it just needs to order the DNS request by the index and it's able to reconstruct the original file, all that without opening a connection to the attacker server directly, therefore much harder to block with simple firewall solutions.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211116/371c801d/attachment.htm>

More information about the MART mailing list