Using this approach and creating an own DNS server running on this protocol, it can be possible to collect all the DNS answers and store them on the remote server. The responses to this query are the SOA addresses, containing administrative information about the DNS zone. The following payload, for example, sends some arbitrary text to the DNS server: dig `echo "malware_traffic_here"`įigure 2: Malicious traffic sent to the Google DNS server. In this case, crooks can use this technique to take advantage of this protocol in any particular scenario, e.g., malware or data exfiltration after an initial compromise. Nonetheless, abusing this protocol to build a client-to-server scheme is still possible, as the DNS analyzes both the sent and received queries as legitimate. As mentioned above, DNS is a stateless protocol and was not designed to send and receive data in a client-to-server scheme.
#MONEY MANAGER EX UNEXPECTED ERROR SOFTWARE#
How DNS data exfiltration worksĭuring the last decade, several types of software and malware used the DNS protocol for data exchange.
įigure 1: DNS query using Google DNS and asking for the “A” registry. A simple query is performed to the DNS server configured by default on /etc/nf in Linux distributions.
An example of its application is shown below. The dig tool, for instance, can be used in a user-friendly way to improve the interaction with this powerful protocol. In particular, DNS allows communication between internal networks and the Internet and translates IP addresses to hostnames for user convenience. This protocol works through TCP/UDP port 53 by default and is used only to exchange specific data. The DNS protocol is a stateless protocol, as described in the RFC1035. Among other channels, the DNS protocol is often used by criminals to bypass firewall rules. For example, when an internal device is compromised by malware in the presence of network security products, the communication with the C2 server can be easily detected during its operation. DNS protocol abuse can be performed in specific scenarios where no TCP outgoing communication is possible. Ragnar_Locker, for instance, is a piece of ransomware operating in this manner.ĭue to several conditions such as well-segmented networks, security products or even the block of outgoing TCP traffic, data exfiltration and malware communications from internal networks or devices is seen as an absolute challenge. Now the paradigm has changed and criminals are also exfiltrating sensitive data from the victims and putting that information on dark web forums when the ransom is not paid. Initially, ransomware locked users out of their devices or blocked the access to files until a sum of money was paid.
0 kommentar(er)
