Suspicious Domains

Malware are often trying to "phone home" to a command and control-server (C&C) or exploit a client by redirecting web-queries to a "malicious-landing-page", and often malware are relying on Domain Name System(DNS) to perform this action. By using DNS the botnet herder can move their mothership of listening C&C(s) quite easily, both by changing domain-names often to avoid detection of the IP-address of the mothership as well as well as move C&C to another node without upgrading all bots. Often these domains are created with fake credentials and used for a short period of time. Therefor one tell-tail to detect, not necessarily malicious network activity, but suspicious network activity, could be by obtaining whois information on the domain and especially "Created on" date. One could divide these results into a few "priority-levels" (1-3), where #1 is within a week, #2 is within a month and #3 within six months.

I made a tool to ease the analysis of a packet capture file (pcap) using Ruby and PacketFu-gem. The tool parses through network packets looking for DNS queries, if it receives such query it will do a simple Whois on the domain. If the domain is created within one of the three given levels shown above, it will be reported as a suspicious domain.

A simple test from a lab-environment is seen below, where we see two domains created this very week, that is a suspicious domain.

Of course, when we see the results it is quite easy to distinguish these two domain names from more common words, but the latter are often used as well - and this is at least one easy way to extract DNS queries and look for suspicious domain-names.... By using Snort a couple of days later on the same pcap-file i got confirmation on my findings, both alerted as "ET CNC Reported CnC Server IP".

I first saw this while doing analysis on one of the many different malware-samples shown in the "A botnets compromise" blog-series, where the different samples changed domain name frequently.