DNS logging and analysis is a valuable tool for identifying malware activity. Unauthorized code that communicates with a Command and Control server leaves an identifiable footprint, even when it tries to disguise it. Some malware communicates with hard-coded IP addresses, but those addresses tend to get blocked as they’re discovered. For this reason, the use of C&C domains is common, letting them change IP addresses often enough to avoid blocking.
DNS Traffic Analysis
The trouble is that DNS logs are gigantic. Think of how many domain resolutions happen per minute on even a low-volume server. Looking for problematic requests just by reading the logs is a hopeless task. It’s necessary to use an analysis tool that will spot questionable requests and unusual patterns.
Analyzing DNS traffic isn’t a simple task. Normal activity generates lookups for many domains, including unfamiliar ones. An ordinary web page may pull in data from a dozen domains. However, certain patterns characterize malware talking to C&C servers.
Considering the sheer volume of DNS data, making sense of it is a daunting task. Adding to the complexity, different operating systems and machines will have different log formats. Bringing it all together requires a powerful and flexible log analysis tool. Several such tools are available on the market.
What DNS Analysis Can Reveal
A widespread zero-day attack hit several major sites in January 2013. Facebook was able to locate the infiltration method through DNS analysis. A suspicious domain turned up in the DNS logs, identifying the employee computer that sent the request. This let investigators focus on that machine, where they found a malware file. Without that lead, they would have had to go through every workstation, a time-consuming and inconvenient process.
Just aggregating the log entries by domain or TLD and sorting them by the number of requests is easy, and it can reveal unusual patterns. If an unfamiliar domain appears in the top 20, it deserves a closer look. However, malicious servers often scramble their domains to avoid easy detection. Requests from infected machines rotate through changing URLs so that no one is hit too often. Unusually long qualified domain names are another possible red flag. Analysis software can find suspicious patterns even in changing domains.
Malware can use DNS not just to locate C&C servers, but to encode communications. The requests usually don’t get much scrutiny from network security software, aside from blocking blacklisted domains. The requests get past most firewalls and don’t even require direct access to an outside DNS server. A rogue request can encode information in a subdomain, and a response can encode it in the resource record fields. Analysis can catch anomalous information, such as nonstandard record types or dubious TTL values.
Defense in Depth
Why is it necessary to go to this effort? Wouldn’t it be better to keep the malware out in the first place? Certainly, it would be, but it’s not something IT management can count on. There are too many ways attackers can get a foothold, and users will make mistakes. Security software can detect many intrusions but not all of them. Sometimes it’s necessary to get down into the logs and look for suspicious traffic. It’s part of a defense in depth, based on recognizing that no single measure can stop all threats to a network.
Security software can block access to known malicious domains. Unfortunately, new ones keep emerging. Malware can include domains that haven’t even been registered yet so that it can move its C&C to new domains as its old ones get blacklisted. For this reason, failed DNS requests can be grounds for suspicion, especially if a lot of requests for the same nonexistent domain occur.
Tricks to Watch for
Malware authors are devious, and identifying their activity isn’t always as simple as spotting rogue domains. Some C&C servers reside on subdomains of legitimate but carelessly managed domains, and administrators may assume they’re legitimate. Others keep generating new domain names, and the malware uses an algorithm to generate the same series of domains before they’re actually deployed.
When performing DNS analysis, it is prudent to include a dynamic IP address. It spreads the traffic for a domain across multiple addresses so that catching and blocking any address doesn’t stop access. Major websites use multiple IP addresses because they have a huge amount of traffic to handle, but if an obscure domain shows many different addresses in the log, that should add to the suspicion it comes under.
Summary
DNS analysis is an often overlooked part of network security. It can appear to be a serious challenge, but it’s a major help when administrators suspect malware activity. It can locate the source of dangerous requests, whether they’re users opening phishing links or malware communicating with a rogue server. It can spot excessive amounts of traffic to dubious sites. Domain request analysis software is an important part of any IT security toolkit.
