Every day Security Engineers are working trying to find infected devices in their networks... But we don't only want to detect an infected devices, also, we want to avoid callbacks connections with a Command and Control Servers (C&C). It's totally necessary to stop this connections in order to these compromised devices don't receive the instructions from Botnet Networks.

How can we do that?

In the Advanced Persisten Threat (APT) Malware war, there are some manufacturers that are creating a new systems for fighting against APT. Today, we are going to talk about DNS Firewalls from Infoblox.

Who are Infoblox?

Infoblox is the DNS, DHCP and IPAM (DDI) market leader. These Infoblox appliances are based on Bind DNS.

"Infoblox delivers essential technology to help customers control their networks. Their patented Grid™ technology helps businesses automate complex network control functions to reduce costs and increase security and uptime. Infoblox solutions help over 6,300 enterprises and service providers in 25 countries make their networks more available, secure and automated."

The idea

Since network firewalls blacklist at the IP address level, malware change their IP addresses hourly using techniques such as “Fast flux”.

Also, since web filter work on the exact URL only, changing URLs flexibly within a domain, malware circumvents web filter.

The idea of Infoblox is to stop/redirect the callbacks connections when a infected computer do a DNS request of a known C&C Server domain.

Infoblox has some lists (they are updated frequently) wich has several registers of DNS domains that are working for Botnets Netwoks.

This is the available Malware Data Feeds for DNS Firewall from Infoblox

Infoblox advice that we can create a "view" with all Data Feeds or a maximum of three views with three data feeds. The last option could have a direct impact on the appliance performance.

What actions can we take when a related Botnet C&C Servers domain name is requested?
  1. Infoblox can pass and log the request.
  2. We can block the request denying the reply to the malicious domain request.
  3. We can redirect this request to our own server.
In my opinion, option 3 is the best. If the session are redirected to an our own landing page, we can see in our web server logs who are infected. May be you are thinking: "Well... If we have the Infoblox logs, why do I want to redirect the sessions to an our own web server and looking for into the web server logs?

Imagine the Windows computers of your network or computers of your remote office are configured as DNS server their Active Directory. Also, this Active Directory has his DNS pointing to Infoblox. What's happen in this case?
  1. Infected computer is infected and want to realize a connection callback with the C&C.
  2. Infected computer request a C&C domain to his Active Directory.
  3. Active Directory hasn't this domain in cache and request the C&C domain name to Infoblox
  4. Infoblox detects this domain is categorizated like a malicious host and redirect this malicious IP to an IP of our own server...
  5. Then, we can see in the web server logs the connections from infected PC.

What's happen if we had blocked the malicious domain name?

If we had blocked this domain and logging into our syslog, we only could see the request of the our Active Directory and we can't trace the real compromised computer.

In the next post, we will talk about our experince in a producction environmet.

Until then, We give you more information.

Clic on the picture for download the Whitepaper PDF.

Oficial link

You can watch the next video in order to gather more info.