Palo Alto IDs another C&C-over-DNS attack Palo Alto Networks researchers say the Webky group is using DNS (domain name system) requests as their command and control channel. The reason that's important is that DNS is one of those ports that's less heavily policed than (for example) Port 80. The Palo Alto post (by Josh Grunzweig, Mike Scott and Bryan Lee) says the …
This 'attack' seems to rely on the malware using a DNS server of it's choice. Lots of SOHO routers have a feature to transparently grab outgoing SMTP and redirect it to a preferred one. Especially if those routers have "captive portal" (ala free hotspot) or "guest" features. It should be pretty simple to redirect all of the outgoing DNS traffic, too. In fact, the "for pay hotspots" have this feature by default. A legitimate DNS server will either reject or ignore the C&C strings.
I think the point is that the DNS requests are just for normal TXT type records & so unless you are actively scanning for naughtyness in the responses or blocking the DNS servers in question you are vulnerable.
Probably the best solution would be to stop user side machines from being able to look up TXT records all together ; I cant, off the top of my head, think of any reason that they would need too but Im sure someone will be along shortly to educate me :-)
The most prominent example in my mind would be DKIM, but that's not so commonplace that it's worth preserving to me.
It shouldn't come as a shock that intrepid hackers are using DNS this way. This was the intention of RFC 1464 originally, though the malicious intent is new.
I hinted at this yesterday. DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network. I've used it many times when penetration testing. It compounds the problem when all the DNS servers in an enterprise pass information back and forth to each other. Lets a hacker pivot to so many other different devices and servers in a network.
Even if you set DNS up correctly and securely (including encryption)... you can always get someone to open up a phishing email to start running things with their privileges/credentials (so encryption is now moot) and then pass the info back/forth via DNS. Info, including... DoS or C&C info. Again... bypassing all security devices. A savvy hacker will encrypt the communications to make it even more difficult to notice.
I loved how I got thumbs down yesterday for telling people (individual users) they're nuts if they run their own DNS servers at home. To protect DNS takes more than a typical SOHO firewall/security device. If you run a DNS server out of your home, you have a pretty sizeable security hole you cannot fix cheaply.
DNS is a fantastic method of moving information into and out of a compromised server because it bypasses ALL SECURITY on a network
...unless you're piping your DNS logs into a halfway decent SIEM backend datastore, of course. I've only seen that in really large enterprises though. Or doing https://uk.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152 . Or if the DNS traffic generation activity is picked up by whatever endpoint protection you have in place. Or if the malware that does it is spotted and blocked by traditional AV, or by next-gen pop-the-attachment-in-a-sandbox malware defence systems. And so on and so forth.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
