“Malware Calling Home” is an activity where an infected system tries to connect to a remote host, often the command control or Malware update center, from where it can download either an undated binary for the infection or it will connect back to this host to receive commands passed on by the Malware herder. This scenario is typically true for Malwares that create Bot Nets. One of the most common symptoms in such a scenario is where multiple infected systems try to connect to this remote host simultaneously. During such an event, there may be complaints of unnecessary and high network usage, CPU utilization of certain Servers like the DNS Server or devices like the Network Routers etc may spike up for apparently unknown reasons.
The below figure shows a pictorial representation of the components and activities of a DNS Server. Some of the components are knowingly left out from this figure to keep it simple.
The below figure shows a pictorial representation of the components and activities of a DNS Server. Some of the components are knowingly left out from this figure to keep it simple.
Now these details can help us to track Malware activities of a specific kind in the network during its initial stages if we know a few things about the Malware’s tendencies to connect to its parent source and correlate it with the DNS Domain Name Resolution methodology. In this way we would know what things to look for and where to look for so that we can get sure of the presence of infected systems in the network.
As an infected system tries to connect to a remote host say for e.g. abc.bad-domain. biz then the first thing that would happen is, it would try to resolve the IP Address of this remote host and will query the DNS Server. Once the DNS Server finds out that its namespace doesn’t have the said domain (in case of authoritative servers) then it tries to use the Root Hints so that the respective Servers can try to forward the request to an authoritative server which in turn will respond back with the requested IP Address.
If we smell that there is probably some Malware related activity happening, which has infected maybe a chunk of systems in the network infrastructure, then we can try to locate these rogue systems by monitoring the traffic in the DNS Server. We can use a network sniffer, you can use WireShark, Ethereal etc, and try to identify if there is a pattern where more than one system is trying to access this abc.bad-domain. biz. We may not know that abc.bad-domain. biz is in reality a bad host so we can try to find out more details about this host, we can try to find out how many systems are trying o resolve this host name. The source systems from where these resolution requests are coming have to be checked thoroughly and manually. The DNS Server is one of the hot spots from where we can, from time to time monitoring, identify and stop a possible outbreak situation proactively.
Another hot spot for a similar kind of scenario is the Network Router. We can also occasionally monitor the Router Cache for Null traffic or traffic that’s targeted to remote destination port 01BD (445 - RPC). If there are multiple and frequent instances this kind of traffic in the Router Cache, then these can be indicators for a possible Malware Activity. Refer t the figure below.
As an infected system tries to connect to a remote host say for e.g. abc.bad-domain. biz then the first thing that would happen is, it would try to resolve the IP Address of this remote host and will query the DNS Server. Once the DNS Server finds out that its namespace doesn’t have the said domain (in case of authoritative servers) then it tries to use the Root Hints so that the respective Servers can try to forward the request to an authoritative server which in turn will respond back with the requested IP Address.
If we smell that there is probably some Malware related activity happening, which has infected maybe a chunk of systems in the network infrastructure, then we can try to locate these rogue systems by monitoring the traffic in the DNS Server. We can use a network sniffer, you can use WireShark, Ethereal etc, and try to identify if there is a pattern where more than one system is trying to access this abc.bad-domain. biz. We may not know that abc.bad-domain. biz is in reality a bad host so we can try to find out more details about this host, we can try to find out how many systems are trying o resolve this host name. The source systems from where these resolution requests are coming have to be checked thoroughly and manually. The DNS Server is one of the hot spots from where we can, from time to time monitoring, identify and stop a possible outbreak situation proactively.
Another hot spot for a similar kind of scenario is the Network Router. We can also occasionally monitor the Router Cache for Null traffic or traffic that’s targeted to remote destination port 01BD (445 - RPC). If there are multiple and frequent instances this kind of traffic in the Router Cache, then these can be indicators for a possible Malware Activity. Refer t the figure below.
I welcome any comments or suggestions about this post. If anyone of you feel that certain things can be pointed out/corrected/ explained further, then please feel free to send a mail to me and let me know. I would definitely try to make the changes to this article.
