Sadly, cybercriminals use increasingly sophisticated methods of communication such as Domain Generation Algorithms (DGA) designed to evade detection in the growing noise of web traffic and to prevent the takedown of a botnet. DGAs are algorithms used by malware that generate domain names, which then serve as rendezvous points with their controllers. They are used as a method to restore communication when a controller is offline.
As cybercriminals change and improve their evasion techniques, monitoring capabilities also have to change and become more sophisticated. The focus in monitoring has always been on analyzing successful connections, whether it is an HTTP connection or an email. Now, we need to mine DNS traffic data to detect threats and pinpoint their sources. DNS monitoring takes us much further, providing information on failing attempts – the red flags of suspicious activity.
The good news is that since DNS is an essential component of the Internet, there is no way cybercriminals can get around it. Most activities that they engage in online will create DNS traffic. Most importantly, since their uses of DNS are atypical, this becomes a weakness that can be used against them.
Capturing and creating usable blocks of data
DNS traffic is rich in information. When captured correctly, it tells us what domain a computer attempts to connect with. In a typical situation, someone requests a specific domain name and it translates to an IP address. A successful request will create HTTP traffic towards that domain. But if a domain is entered incorrectly, the request will fail, generating an NXDOMAIN response.
Malicious DNS traffic does not follow this typical sequence. A malware infection will generate hundreds of requests for a domain at once; attempting to connect to its command and control (C&C) server by guessing which domain is controlled by the cybercriminals. This method essentially connects to a predetermined list of controllers and ultimately connects to the active one. This results in loads of noise, which is detectable. High volumes of NXDOMAIN responses are red flags for malware threats.
To avoid sending up these red flags, malicious software communicates with new domains intermittently to frustrate detection efforts. The random nature of it circumvents static timing analysis of traffic. This “agile” DNS method evades blacklists, the historical records of malicious domains that have been used in the past.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.