Recently security researchers have discovered a new malware threat called DNSMessenger, a Remote Access Trojan (RAT) that opens a backdoor so that hackers can control the compromised machine remotely. These controlled machines then form a botnet which can be used to perform DDoS attacks or to steal data, among other malicious activities.
DNSMessenger is an extremely sophisticated malware that is 1) fileless, 2) uses Windows PowerShell and 3) uses DNS to communicate with Command-and-Control (C&C) servers. Being fileless, DNSMessenger can remain undetected – even if the host machine has traditional antivirus products installed.
The attack employs PowerShell because it offers greater power than what traditional Windows shell commands provide (sounds obvious, right?). But more importantly, the malware uses DNS as its communication channel with its control center, so to speak—or C&C server—to deliver PowerShell binaries into the host machine and to send data out from the compromised host.
Anti-virus Systems on Endpoints may not catch RATs
Traditional security systems, including those running at endpoints (for example, antivirus systems) and those deployed at the network perimeter (for example, firewalls) may have a hard time detecting DNSMessenger. As mentioned, being fileless, this particular malware attack can evade detection by antivirus systems. Moreover, perimeter security systems typically do not monitor or filter DNS traffic since DNS is a critical network infrastructure, and DNS traffic is usually regarded as safe—meaning DNSMessenger can remain under stealth.
Need to up Threat Dection at the Core
However, next-generation security solutions such as those employing threat intelligence and machine learning analytics may have better results protecting users from sophisticated malware threats like DNSMessenger. Indicators of Compromises can be used to help block a malware attack’s communication with C2 servers so hackers have to change their servers’ IP address or domain name every so often to avoid being cut off from the botnet. Machine learning analytics solutions can compare the suspicious network traffic (DNS traffic in the case of DNSMessenger) against normal traffic to detect those odd behaviors from the malware. Working in tandem with traditional methods, these solutions can provide a layered defense-in-depth approach to organizations who have valuable data inside their network.
Infoblox offers a suite of security solutions including signature-based Advanced DNS Protection, advanced Threat Intelligence as part of ActiveTrust and ActiveTrust Cloud, and a machine learning behavior analytics solution called Threat Insight, also as part of Active Trust Cloud. Together, they monitor DNS traffic at different check points and disrupt malware communications. ActiveTrust Cloud can also now protect against DNSMessenger by using a combination of the techniques mentioned above. For more information, please visit infoblox.com.
Watch the Video
I recently had a chance to host a Facebook Live Session with my colleague, Srikrupa (Krupa) Srivatsan on this topic. You may want to watch to get additional perspectives.