DNS Security & Vulnerabilities: Part 2— Malware, DNS Protocol Abuse, and the Kill Chain

As with all threats, we need to be able to prevent and terminate them. One of the ways we do that is via a Kill Chain. However, we need to understand where DNS fits in this picture by how it works in each of the different categories.

The Kill Chain is made up of the following categories:

Reconnaissance

This is generally the first step of an attackers playbook. They want to learn what is available to be attacked. DNS servers contain a lot of information about devices that are publicly available.

Some of the items that are commonly looked at are:

1. Address spaces. What are being used to host services
2. Mailservers are common as they are generally used in every organization.
3. Hostnames are normally assigned to every device and are also commonly named in a fashion that describes what a device. If the device is named “test” it could make for an easier target due to weaker configuration settings for example.
4. Recursive queries for popular destinations.
5. Finally Active Directory. If you work and run a Windows realm this is almost a given no matter how you play it especially if you are sending in queries for resources to the AD from the internet which results in the public cache being accessible. This makes it tempting to see if the _tcp used is resolvable and possible exploitable.

Weaponization

While DNS can play a part in many types of attacks, the attacks we are focusing on here are ways to abuse the DNS protocol and how it can be used to launch attacks. Some of the common attack vectors with the protocol itself are:

• Tunneling: DNS tunneling involves encoding the data of other programs or protocols within DNS queries and responses. It usually features data payloads that can take over a DNS server and allow attackers to manage the remote server and applications.
• Amplification: DNS amplification attacks perform Distributed Denial of Service (DDoS) on a targeted server. This involves exploiting open DNS servers that are publicly available, in order to overwhelm a target with DNS response traffic.
• Flood Attacks: DNS flood attacks involve using the DNS protocol to carry out a user datagram protocol (UDP) flood. Threat actors deploy valid (but spoofed) DNS request packets at an extremely high packet rate and then create a massive group of source IP addresses.
• DNS Spoofing: DNS spoofing, or DNS cache poisoning, involves using altered DNS records to redirect online traffic to a fraudulent site that impersonates the intended destination. Once users reach the fraudulent destination, they are prompted to login into their account.
• NXDOMAIN Attacks: A DNS NXDOMAIN flood DDoS attack attempts to overwhelm the DNS server using a large volume of requests for invalid or non-existent records. These attacks are often handled by a DNS proxy server that uses up most (or all) of its resources to query the DNS authoritative server. This causes both the DNS Authoritative server and the DNS proxy server to use up all their time handling bad requests. As a result, the response time for legitimate requests slows down until it eventually stops altogether.

Delivery

Normally attacks will deliver their attack through other means, most commonly are the HTTP(s) protocols, but in this case we are looking for DNS based. The primary example is due to the fact that DNS will be used to query a domain to launch an attack over using an IP which makes DNS the forerunner.

Exploitation

As mentioned in the Delivery section DNS is the forerunner for attacks, as it’s generally used to target systems over IPs. This can make DNS an ideal killswitch to stop an attack if the attacker is using DNS to resolve, access systems and communicate.

Installation

In most cases the Attack will install backdoors once a foothold has been granted. These can and cannot rely on DNS depending on the install method being used.

Command & Control

Now that the attacker has access and control over the machines, they need to tunnel out. If these callbacks are using DNS over a direct IP connection for cases where they have to change the IP of where they host their services, then DNS is indeed being used against you.

Actions on Objectives

As you can see from the quick overviews above, DNS is used in all the areas of the kill chain. Because of this, it is important to understand how DNS is implemented and being used in your environment. This allows you to better control, monitor, prevent and stop attacks.

Now that you have an understanding of the steps lets go over some use cases of where malware made heavy use of DNS.

WannaCry

If you remember, this was the big one. It exploited a major flaw in Windows and to this day it’s a commonly used attack vector due to organizations not changing from default configurations or making changes to prevent said attack types.

What WannaCry did that was cool is how it used DNS to check and see if the network conditions were right for attack.

The process went as follows: If the random domain of choice resolves, then it knew it was in a sandbox and stopped. If the domain did not resolve, then it knew it was not likely in a sandbox.

How is this done? It was done by using the NXDomain status code that is recieved. This is also the same status code you can use when doing ad blocking on servers. NXDomain stands for Non-Existent Domain.

This is a great example at how malware for example can play different in different environments based on using DNS for status codes.

Hopefully this gives you a better understanding of how DNS can be used in attacks and gives you some ideas on how to protect your environment from such attacks.