URL Analysis & DNS in Malware

  • Web presence and URLs are everywhere

  • Malware relies on URLs for C2 traffic

  • Domain-Generation Algorithms (DGA) Mitigation

    • Randomly or algorithm based generated malware Internet domians

    • Registered with dynamic DNS servers

    • “One-Time Domains”

    • Malware code and attacker C2 station run the same DGA algorithm

    • Malware communication takes place over these randomly generated domain names

    • Domain can change on each communication attempt

    • “Fast Flux Network” – network that frequently changes IP addressing scheme

    • Undetectable using static domain blocklists

    • Mitigations

  • URL Analysis

    • URL components:

      • Domain

      • Resource path

      • Resource information

    • Sandbox URL analysis may include:

      • Resolving percent encoding

      • Checking for redirects

      • Assembling any scripts embedded in the URL and checking their code

      • Reputation check

      • DNS TTL (time to live)

      • This happens before you even access the URL

  • The HTTP Protocol

    • Client-server

    • TCP 80 and 443, but it can be any number

    • Request based: HTTP method, resource (URL), headers, body

    • Common methods:

      • GET: request

      • PUT: create or replace

      • POST: send data

      • HEAD: just the header

      • DELETE: deletes

    • Server responses have codes and belong to these categories:

      • 2xx: something was successful

      • 3xx: redirects, server sends you somewhere else

      • 4xx: it’s your fault (client error)

        • 401 bad auth, 403 insufficient permissions, 404 non-existent resource\

      • 5xx: server error

  • Percent Encoding

    • Method for users to submit any data (including binary) as part of an URL

    • URL obfuscation

    • Script embedding

    • Decoding exploits

    • Can be recursive

PreviousFirewallsNextNetwork Access Control and Port Security

Last updated