Characterization of Covert Channels in DNS

Malware families utilize different protocols to establish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families.

[1]  Kwan-Wu Chin,et al.  On the viability and performance of DNS tunneling , 2008 .

[2]  Maurizio Aiello,et al.  A Comparative Performance Evaluation of DNS Tunneling Tools , 2011, CISIS.

[3]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[4]  Peipeng Liu,et al.  A Bigram based Real Time DNS Tunnel Detection Approach , 2013, ITQM.

[5]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[6]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[7]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[8]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[9]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[10]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[11]  Koen De Bosschere,et al.  DNS Tunneling for Network Penetration , 2012, ICISC.

[12]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[13]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[14]  Olivier Richard,et al.  On Robust Covert Channels Inside DNS , 2009, SEC.

[15]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.