Is this the best alternative to WLAN Port-Mirroring? Using custom router firmware to log malware requests
Foreword: I am not a IT type of person so all of this was done using homelab techniques.
One of my friends told me that the base firmware for these Asus Routers eliminated the ability to perform WLAN Port-Mirroring using iptables rules.
There is a difference between LAN Port-Mirroring and WLAN Port-Mirroring. You can Port-Mirror a ethernet connected LAN using a managed switch, which, for the cheap ones can start at about $50. Quality devices, like Cisco Catalysts can use SPAN port configurations to do the same. However, if you port-mirror using a switch, you will not see most of the traffic from wireless devices like laptops, cellphones, tablets, etc. The only traffic I seen from wireless devices were ones that hit multicast or broadcast range which was not very helpful outside of installing a OSSEC agent on the physical device (all of my laptops have agents reporting back to my SecurityOnion VM at home over a VPN), and even then, there are few agents that work with mobile devices like cell phones and tablets.
Another thing for this to work is to set your router as your DNS resolver, which means if you use a VPN on your device, you need to manually set your upstream DNS to your router.
The incident
Yesterday, January 9th, was a very busy week for me. I was actually closely watching this matter for about 4 or so days, ever since I noticed blocked malware traffic beaconing to this URL, as reported by NextDNS and confirmed by this blocklist. The malicious domains are
event[.]trk-instructior[.]com
extension[.]trk-instructior[.]com
notification[.]trk-instructior[.]com
Here is a different CloudFlare IP associated with the domain:?https://otx.alienvault.com/indicator/ip/172.64.104.38
As well as a 2019 spearphishing campaign attributed to it:?https://otx.alienvault.com/indicator/file/65b1572ee7d625245773ace0ef9636932df9ed464ddb0495bd39ce5569273f5f
Starting early morning, I decided to reconfigure the dnsmasq daemon to verbosely log all DNS requests to narrow down the device. I quickly learned that this specific domain was used to spread highly obfuscated malware targeting Windows machines as early as 2019. Now it’s 2023, and to my surprise, the beaconing was coming from my father’s Android phone.
In the middle of the day, after running some unit testing, I noticed that the beacon was within my father’s Android Chrome Browser Sandbox, by closely observing the logs as I started each app and turned them off while running?tail -n20 -f /tmp/syslog.log?while logged into the router.
领英推荐
From the lessons I learned from this experience, I thought it would be great to share with all of you on how to permanently log malicious DNS requests by sending it to a listener such as SecurityOnion’s Elastic Stack or Splunk.
I am using Asus Merlin custom firmware for this, with admin access over SSH using my private key.
Your mileage may vary, as you need custom firmware for your router and you should read the documentation on how to customize your dnsmasq configuration.
You need command line access to fully utilize dnsmasq
Login to your router GUI
Login to SecurityOnion
Because the DNS queries and other events are so verbose, they will quickly overwrite themselves due to the limited non-volatile storage on the router. It’s important to use syslog and a server or virtual machine that can ingest it, like Splunk, ElasticStack, or in my case, SecurityOnion with the ELK Stack, giving you a persistent log of all DNS queries for any investigations that you will be running. By default, logs transmitted via the default Asus Merlin Syslog service is not encrypted.
Vulnerability Management | Incident Response | Cloud Security
2 年Awesome writeup Chang! Going to try this in my home lab, thanks for the content!