Chris Mosby at myITforum.com

DNS Botnet Phun

Over the years, IRC channels have been a favourite communications method between back doors and their command centers because they are so simple to set up and use. The IRC protocol is easy to use can also be easily configured to travel over an arbitrary TCP port so its not easy block IRC traffic based on well known port numbers. That said, IRC traffic generally has no place within corporate environments so that makes it a little easier to spot and control.

A recent proof of concept back door Trojan (Backdoor.Fonamebot) that we have examined here in Symantec has perhaps pointed the way forward for the transmission of data between zombies and the bot herder. What we have seen is a new kind of back door that sends and receives its data through the DNS protocol.

You might ask yourself, "What is the big deal with this development?" Well, as it turns out, DNS is oneof the most widely used protocols on the Internet today. Just about every time somebody accesses a Web page or sends an email, a DNS server is used somewhere in the process. For example, when you enter in the address www.symantec.com into your Web browser, a number of actions take place before you see the Web page you requested. One of the first is the sending of a DNS query to the local DNS server to turn that human-friendly address into an IP address that is more suitable for computers to understand and process.

DNS queries can run recursively. If the local DNS server does not know the name you are looking for, it can forward the request to another DNS server, and so on until the appropriate answer is found. If all goes well, the DNS server will return an IP address to your computer, which will then use it to send the actual HTTP request onto the destination Web server. So at this point we’ve established that the DNS service is really important to the smooth running of the Internet, so important that if it was to be taken offline, it would virtually bring the Internet to a halt. But what happens if the DNS infrastructure that the Internet knows and trusts is tainted.

Let’s say that if we had a piece of malware that can hide all its communications amongst the legitimate DNS traffic that is so pervasive on the Internet. Now, we potentially have a pretty nasty situation because we cannot simply just block DNS traffic based on the UDP/TCP port 53.

This could have security ramifications. For instance, one possible attack scenario could involve an attacker setting up a malicious DNS server to send and receive commands and data. The attacker would then wait for a computer to become infected with one of the back door Trojans, which would then attempt to establish a connection with a controller. It does this by sending out DNS queries to its local DNS server looking for a certain address (the address encodes a command in the form of a server name that is only known by the DNS server owned by the attacker). The local DNS server will not know the address and will start to forward the query to other DNS servers in the chain ending up at the malicious domain. The malicious DNS server woud respond with a message formatted within the confines of the DNS protocol. This message will either contain commands or data for the Trojan to process. The commands themselves are encoded within bogus IP addresses, so it is not easy to tell whether the transmission is legitimate or malicious.

By using this method, the Trojan can communicate freely with the controller through the DNS protocol. Preventing this type of back channel communication is difficult as you cannot simply block the use of DNS. This proof of concept was based on work presented by Dan Kaminsky back in 2004. We will likely see this type of back channel communication used in the future by botnet builders, perhaps it is time we began to take a closer look at the DNS traffic.

Posted by Hon Lau on June 29, 2007 11:13 AM

Source: Symantec Security Response Weblog: DNS Botnet Phun