Abstract
In most cases, malware communicates with a Command and Control (C&C) server in order to download updates or additional modules, receive commands, exfiltrate data, etc. The DNS system plays an important role in C&C communication: In order to hide their C&C servers from detection, common modern malware families employ Domain-Generation Algorithms (DGA) rather than hard-coded addresses to find their C&C servers. Furthermore, some malware families provide a back-channel and exfiltrate data in specially crafted DNS requests, thereby abusing the fact that DNS traffic is often not firewalled.
Due to the importance of the DNS in malware’s C&C communication, recent malware detection systems try to detect malware based on anomalies in DNS request patterns. As one would expect, the suppliers of such detection systems claim that their solutions work as a catch-all for any malware that abuses the DNS system as part of its operation. But, prior to deploying any malware detector, one needs to test these claims by evaluating the effectiveness of the detector. Also, when a new malware variant is detected in the wild, it is important for security teams to verify that their deployed solutions can detect them.
One way of accomplishing the above tasks is to execute real malware samples and observe the results of the detector. However, this is infeasible in a production network, as there is always a risk of the malware causing damage. Furthermore, malware samples often do not execute on demand, and therefore testing may be difficult. In our contribution, we describe a tool and a framework for evaluating the effectiveness of DNS-based malware detectors using emulation. We propose the following approach: We emulate the DNS traffic patterns of a given malware family, inject it into a network, and observe whether the malware detector reports an infection. The injected traffic is completely benign and, therefore, testing poses no risk to the network. The generation of DNS traffic patterns is based on information published by various members of the security community. From malware analysis, typically, one or more of the following artifacts may be found for a given malware – a list of domains generated, a network packet capture (PCAP) of the malicious traffic, or a Domain Generation Algorithm (DGA) that is published by another researcher.
Our tool enables security professionals to utilize any of these three artifacts in an easy, quick, and configurable manner for generating DNS traffic patterns. The tool is implemented in Python and will be made available free of charge, and we are also exploring an open source license. Our presentation will demo an evaluation infrastructure, and discuss use cases in order to help the audience gain more confidence in their security deployments. The tool is built using a plugin-based architecture, and we will also discuss ways in which the audience may contribute new plugins to the tool.