Analysis and Research on Modern Malware and DNS Protocol

11/20/2017

This article is based on the learning and understanding of a large number of online technical articles and has done a sort of analysis from various aspects, including attackers / monitors / defenders and analyze malware based on the Internet threat intelligence API interface.

Based on the current network environment, malware can be considered as Trojan virus in a narrow sense. The increasingly widespread ransomware and IoT-related viruses also use DNS Tunnel with various fancy skills. That is Out-of-Band (OOB) technology.

In addition to Wannacry's kill switch in the previous days, there are more fancy usages of this kind of technology such as using qzone/weibo/twitter as transmission tunnel which can provide public access within traffic like HTTP/API/JSON, etc., for parsing or as a code accessing area. For malicious intrusion, there are also popular social tools (such as Telegram/WeChat/IRC) as remote Botnet. What is cooler is to use Gmail as receiving API to accept code data from attackers or use trojan to send encrypted E-Mail through the tunnel to hacker's own mailbox. Those in the underground world have truly bypassed the traditional data channel restriction and they have therefore embraced the era of modern malware using OOB technology.

Perhaps you still remember the supply chain intrusion incidents caused by Xshell and CCleaner a few months ago and the backdoor of the Chrome User-Agent Switcher, as well as the ALMA Communicator Trojan in the Clayslide documentation of the OilRig organization recently tracked by Unit 42. All of these incidents are related to the DNS protocol technology (the DNS tunnel technology may be used here, or the remote control domain name is used, but all are related to the DNS protocol).

Why DNS?

At present, the public's understanding of the application of the DNS protocol in the attack and defensive field is still very shallow. The protocols for detecting network borders are mainly famous protocols like http/https/ftp/telnet/ssh, especially in web attacks. In the case of the web security protection products such as WAF, the attack payload of the http/https class has been strengthened. For some unpopular protocols, the attention of the DNS protocol has been increasingly reduced. This phenomenon provides a convenient way for an attacker with a full brain.

Reference: RFC 1035

First briefly mention the record type of the DNS protocol, and make preparation for the following article. What can be found on the Internet are basically seven types of records, but in fact, the following ones are commonly used in the DNS Tunnel technology. The usage of record type data for out-of-band transmission is called invalid Rdata transmission of DNS.

  • A Record

Address mapping record. Specify the IP address of this host.

  • TXT Record

Text record. Specify multiple text strings to be associated with a domain name, which is generally used when email forgery spf record verification.

  • AAAA Record

IPv6 address record. Record the 128-bit IPv6 address of the specified host. AAAA records are similar to A records and are used to resolve queries for IPv6 addresses for specific domain names.

  • PTR Record

Reverse lookup pointer records. Specifies the domain name of the host. In the case of a given IP address, the PTR record allows the lookup of the hostname.

In addition to the attack modes mentioned in this document, the DNS protocol has well-known DNS Flood and DNS Amplification attacks in the field of traffic attacks.

Transfer Payload Through DNS Tunnel

Following article decribes the data communication mode between the host and the C&C server based on several record types.

  • A record

Send sensitive data in one direction, encrypt the data into [DATA], and then recursively resolving through the public DNS or directly through the system DNS (recursive resolution is used to prevent direct exposure of the DNS server) [DATA].evil.com, DNS packets are also typically constructed to prevent the intercepted process from locating to the Trojan source. The parsed data will be passed to a DNS server controlled under the attacker.

The interaction between the controlled terminal and the C&C server is completed in cooperation with the TXT record;

  • TXT record

The configuration of the malicious TXT record is generally a control command. The controlled terminal receives the TXT record information and decrypts it correctly, It is possible to execute a local command to achieve the effect of RCE, and then pass back through the A record.

It is also possible to pass the payload in a new C&C Server IP using the DGA algorithm mentioned below, and then achieve the effect of transforming the malicious address of [GAME OVER].

The AAAA record will not be described in details. In fact, the main use point is similar to IPv4, splitting the several AAAA records of multiple IPv6 addressess and then output them in a loop as payload. The malware will then read the payload and decrypt it, execute it.

  • PTR Record

The PTR record is also used in conjunction with the A record. The subdomain name in the 1st raw and 2nd row of the figure below is the meterpreter payload. TimeforReconnect means that the backdoor core code reconnects the attacker every 10 minutes and establishes a connection every 5 minutes (1.1.{10}.{5}). Then the next PTR record value is used to bypass the detection of IPS / IDS. 10min5delay and 0min0delay are for the time setting, attacker split a payload into 0-4 Strip, according to the time setting to delay the payload take, thus bypassing the detection. So reviewing the PTR record is actually a sort for a payload.

DGA Algorithm

The above method is either to take the subdomain name resolution or to take the TXT record or another record type to obtain the control command from the attacker. But, what about the root domain name? Where does the root domain name come from? What kind of root domain name can I use for persistence control? The DGA algorithm is used here.

DGA (Domain generation algorithms) domain name generation algorithms are often used as the public network remote C&C service control terminal for malware. Malware will periodically use the DGA algorithm to automatically produce a random domain name, which can effectively bypass the blacklist detection before making connection attempts and searching for the C&C service console. If a generated domain name cannot be connected, it will continue to use the DGA algorithm to generate the next random domain name for the connection attempt. In this way, even if the IP address of the C&C changes, or a malicious domain name is killed, the hosted malware can still find the C&C service control terminal to continue working after a certain period of time. The first-line engineers often add these IOC by hands in an inefficient way which is slower than the speed of changing.

For example, all of the security incident this year commonly use the kind of technology of DGA algorithm:

  • Wannacry(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com)
  • Xshell(xmponmzmxkxkh.com)
  • CCleaner(ab3d685a0c37.com) //figure shows that the implementation of DGA algorithm in CCleaner backdoor

In a previous internal malicious code incident response training course to interns, I have also mentioned the relevant analysis and used Xshell as an example to analyze how DNS channel is used to transmit data. Xshell's Module_DNS communication module mainly uses the data interaction resort of A record actively transferring and TXT record returning and defines a total of 3 DNS data types which are online, data and offline. The figure is the code for class 0 online communication.

In "xshellghost", the backdoor first use DGA algorithm to generate a string of length of 10-16 according to the year and month in the system time, and then splices it into a DGA domain name with ".com". So it can be seen that the root domain name is changed every month.

Then, the key system private data is encoded into a string by a specific algorithm, and a subdomain name is constructed with the root domain name formed above. At last, the C/S interaction is formed by querying the TXT record of the domain name.

Resorts of Launching DNS Queries

According to the information collected, I divided the DNS queries into three categories.

1. Whether to modify the local DNS configuration; (cannot locate the modifier)

2, Public DNS server recursive query and non-recursive query; (recursive query to avoid exposing the attacker's DNS server)

3. Local DNS configuration and DNS packet forging; (the faker can be located with the source)

DNS Monitor

As a third-party security company, it is very important to be able to monitor these illegal DNS queries in time. At present, the better DNS monitoring in China is the real-time network monitoring (NetworkScan Mon) belonging to 360Netlab. The platform can only record the history of 30 days of history. At the time of writing this article, Xshell's data was not available. You can only access the data of DNS resolution by taking the time period of “Ten/March/Event/Item” on the Dashboard. It is still very intuitive.

The monitoring frequency of third-party DNS resolution is naturally aimed at threat intelligence warning in the Internet environment, but when we think back to the enterprise or the individual itself, local DNS monitoring is naturally to monitor the DNS log through the terminal.

The analysis of the action of ransomware directly relies on sandbox techononly to read the internal domain names. But for the three hidden backdoors referred above like Xshell, CCleaner and Chrome User-Agent Switcher, if you do the local DNS resolution monitoring in advance, then this advanced backdoor incident will be foreseen and prevented.

DGA Domain Name Detection

Detect domain names which are generated by DGA algorithm by the method of machine learning in the classification of LSTM.

Reference: Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, Daniel Grant. 2 Nov 2016

Reference: https://xbear.me/2017/11/04/%u4F7F%u7528LSTM%u68C0%u6D4BDGA%u57DF%u540D/

Xbear used 360Netlab's public DGA data to run in TensorFlow and exposed the API interface: http://xbear.me/api/dga?d=test.com. The sample family contains 42 families including madmax, blackhole, and tofsee. The trained model AUC reached 0.995579, and the accuracy rate was between 97% and 98%. Introducing deep learning into basic security testing has a very significant effect.

Local DNS Resolution Monitor

DNS is the 53-port transmission data that occupies both UDP and TCP. This single application protocol uses two transmission protocols at the same time, which is almost an alternative. In general, DNS data queries are all transmitted using UDP. However, the UDP packet is up to 512 bytes, so when the record is longer than 512 bytes, it will be transferred to the TCP transport protocol. The general domain name is not so lengthy. If it, the big probability of its cause may be used to transmit OOB data to the C&C server.

Reference: RFC 1035

The DNS resolution query uses UDP first. When UDP cannot be completed all the data transmission, the query will be converted to TCP. Therefore, monitoring the DNS data transmission on the TCP protocol will increase the accuracy, but the amount of capture will be reduced. The red box in the figure indicates that the RFC 1035 document converts data larger than 512 bytes into TCP transmission, while the blue box indicates another usage of DNS TCP. It is another well-known vulnerability, DNS zone transfers :)

Local DNS Client Service

Reference: http://scz.617.cn/windows/201705111519.txt

All of following are trying to reproduce the phenomenon of the description in the articles written by scz.

First, find the value of dnsrslvr.dll in the Registry Editor which shows the file path of dnsrslvr.dll.

Attach Procmon Filter,PID is 2552.

Firstly search keyword "dnsrs" in the subview window in Strings. It is apparently to see the two keywords: dnsrslvr.log, dnsvlr.log. Choose the first one and go into the IDA view window. Go into the function via clicking DATA XREF.

However, I found myself in a wrong position because there is only one word dnsrslvr.log and dnsrvlr.log cannot be seen anywhere. And function DnsLogIt() appears but function DnsLogInit(). Return back and choose the second one.

Here we are!. Missing function DnsLogIt() appeared but it was not called. To make it simple, scz post the following code block.

And we can only see one output of the string in the position. Trace the XREF to the C code we can see the function DnsLogIt() and function DnsLogInit(), the wrong word dnsrsvlr.log as well. After all, this written wrong word cannot be found in Windows 10.

I try to find something in dnsapi.dll and discover function Areg_RegisterTerm(). This function might be a process for registering thread and the log will be recorded during the time period. At last the part of registering, dnsapi.dll will be used to judge something about thread.

In the string subview window of dnsapi.dll, I found functions DnsLogIt() and function DnsLogInit().

It can be seen that DnsLogIt() is indeed a process of fopen/fputs/fclose, and the test result causes the eventvwr program to be stuck, and this problem is not solved on Windows 10. The subsequent function reanalysis will not continue because in the article written by scz has already made it very clear. Here I mainly take a look at the recording process of the entire DNS log, which is convenient for later code review.

In dnsrslvr.dll, a basic process can be found. And function DnsLogInit() is mainly responsible for processing when the DNS resolver service started, that is, when DNS resolution starts, logging starts, too. The action and the operation of writing the initialization log are also clearly shown in the code, DNS logging follows. DnsLogIt() is called here, but this time a conditional judgment is made when entering the main body of the record function. The judgment is based on a global variable LoggingMode. This global variable is defined once in function DnsLogInit(), the initialization value is 0, and it will return to the initialization value 0 after exiting the function DnsLogInit (). The value changing make it be restricted by the conditional judgment in the main body of the function DnsLogIt (). Because of the restriction, the function will be directly ended, so the DNS log can not be recorded normally.

However, there is still a problem with insufficient permissions. Because after analyzing the modern OS, the system default ACL for system32 does not allow to run as NT AUTHORITY\NetworkService but NAUTHORITY\NetworkService. The article written by scz said that you can use Procmon to find the problem out. I directly entered the registry editor after failure in Filter, parameter ObjectName in the path of COMPUTER\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache shows that it really runs as NT AUTHORITY \NetworkService. This machine then calcs looked at the operating identity of system32 does not contain NT AUTHORITY\NetworkService this user, so only one can be added. I test on my computer and see no such account. I used the following command to create one.

cacls %systemroot%\system32\dnsrsvlr.log /E /G "NETWORK SERVICE":W.

This command added NETWORK SERVICE to the dnsrsvlr.log file to authorize writing permission, this modification does not replace the original ACL but directly to modify the permissions.

The method of opening is to complete the initialization by creating a new dnsrsvlr.log file, and the additional operation of calling fopen by type IO input can manually set LoggingMode=1 to enter the main body of DnsLogIt() function. Finally, after giving NETWORK SERVICE write permission, you can enter the DNS log normally.

Then the method of opening the DNS log directly refers to the article of scz.

1. How to open the DNS Client Service log

/

Run as Administrator

nul > %systemroot%\system32\dnsrsvlr.log type
nul > %systemroot%\system32\dnsrslvr.log type
nul > %systemroot%\system32\asyncreg.log
cacls %systemroot%\system32\dnsrsvlr.log /E /G "NETWORK SERVICE":W
cacls %systemroot%\system32\dnsrslvr.log /E /G "NETWORK SERVICE":W
cacls %systemroot%\system32\asyncreg.log /E /G "NETWORK SERVICE":W
net start dnscache

--------------------------------------------------------------------------

2、How to cancel the log?

/

Run as Administrator

net stop dnscache
del %systemroot%\system32\dnsrsvlr.log
del %systemroot%\system32\dnsrslvr.log
del %systemroot%\system32\asyncreg.log
net start dnscache

Simplify DNS Log Switch

The above test and DNS log opening method are described in the environment of Windows 7 64bit environment, but the specific build number of Windows 7 is not indicated. After researching Microsoft's official documentation, it was found that Windows 2012 R2 and Window 2016 in the server version will open DNS Client Event log messages in eventvwr\Applications and Services Logs\Microsoft\Windows\DNS-Server after installing KB2956577 patch. I found in the local test that Windows 10 can also be turned on. In addition, I tested my own virtual machine. Windows 7 SP1 Build 7601 also comes with this DNS client event function. The function button name is just changed from DNS-Server to DNS Client Events. same. So you can open the DNS log here.

Windows 7 can't record the log even if the function is opened. It is still necessary to open the dnsrslvr.log log from the command line according to the method described in the fourth point.

Malicious Domain Name Processing

Reference: Microsoft Hands Off Nitol Botnet Sinkhole Operation To Chinese CERT

For these malicious domain names, there are some more widely handled resolutions in the world. Compared with the famous Fake IP processing method of DNS Sinkhole and its NXDomain, there is another kind of reservation which is devoted to testing and experimentation for these special IP address list. The experimental usage of Class D and Class E IP address is here.

Reference

DNS Protocol: 7

Malware Analysis: 24

DNS Client & Server Logging: 5