As part of my Ph.D. I’ve been looking at existing DNS-based covert channels in order to profile their behaviours with a view to developing a detector or filter. I have examined a few variations including DNScat and IODINE. Both of these implementations are fairly robust but IODINE is the more complete and reliable of the tools that are out in the public domain at the moment. The realtime detector shown in the video clip was developed by analysing IODINE traffic and writing a relatively lightweight detector in Python using Scapy and MathPlotLib.
Malware that relies on command & control (C2) communications belongs to a family of attacks known as Advanced Persistent Threats (APTs). Cyber criminals use techniques such as spear fishing campaigns in order to infect targeted systems with APTs. Once installed, APTs attempt to move laterally within the targeted system to find valuable information that can be exfiltrated for profit or disruption. The C2 and data exfiltration stages of an APT attack generate the most amount of noise in terms of network traffic. Therefore, ATPs usually employ sophisticated techniques to hide these forms for communications. C2 communications are essential to the success of an APT as they allow for
- confirmation of system breach and frequent beacon messages,
- information gathering about breached network and hosts machines,
- communication with malware within the compromised network,
- forwarding instructions to download second stage malware,
- data exfiltration.
C2 communications can employ many different techniques in order hide their existence. Malware research has shown that network protocols such as HTTP, IRC and even social media channels such as Twitter have been used to carry C2 traffic in a covert manner. DNS is an interesting covert channel choice because almost all other network traffic depends on it and DNS is very rarely blocked by firewalls. As DNS is a connectionless protocol that works over UDP, port 53, most DNS-based covert channels employ a polling technique to keep a channel open and to ensure that the C2 server is alive. The polling usually takes the form of a DNS request that eventually resolves to an authoritative server which in turn replies to the DNS request to signify that it is alive. IODINE and DNScat are setup to ping their servers at default intervals. IODINE defaults to a 4 second interval and DNScat defaults to a 1 second interval but both pieces of software allow the default interval to be set by the user. This part of my project has focused on the fact that DNS-based covert channels depend on this polling technique. I like to think of the polling between the infected host and server as a “heartbeat”. If the heartbeat can be detected then it may be possible to block the covert channel before a malicious actor gets the chance to exfiltrate valuable data.
The video clip above is a recording of my heartbeat detector picking up pings from an IODINE client communicating back to its server. My software records the deltas between DNS requests and stores each delta along with the requested domain name and its frequency in a hash table. It works on a sliding sample window that can be set by the user. The sliding sample window allows the user to control the granularity of the detection. This technique is relatively light weight in that it doesn’t carry out any deep packet analysis or character frequency/entropy analysis of the queried domain name. The principle behind the technique is simple, human generated DNS traffic should not exhibit a period nature. So DNS requests that are found to have a periodic nature over time should be cause for concern. The code was written in Python, Scapy and I used MapPlotLib for the graph.
The video is really just a proof of concept so there is lots of work still to do…more later.