URL Analysis & DNS in Malware

Web presence and URLs are everywhere

Malware relies on URLs for C2 traffic

Domain-Generation Algorithms (DGA) Mitigation

• Randomly or algorithm based generated malware Internet domians

• Registered with dynamic DNS servers

• “One-Time Domains”

• Malware code and attacker C2 station run the same DGA algorithm

• Malware communication takes place over these randomly generated domain names

• Domain can change on each communication attempt

• “Fast Flux Network” – network that frequently changes IP addressing scheme

• Undetectable using static domain blocklists

• Mitigations

  • “Bad” algorithms

  • Domain registration might not sync so quickly so you see a lot of NXDOMAIN errors

  • Blacklisting (dynamic DNS) domains with a bad reputation

  • Whitelisting allowed domains – Cisco Umbrella 1 Million

  • DNS Reputation

URL Analysis

• URL components:

  • Domain

  • Resource path

  • Resource information

• Sandbox URL analysis may include:

  • Resolving percent encoding

  • Checking for redirects

  • Assembling any scripts embedded in the URL and checking their code

  • Reputation check

  • DNS TTL (time to live)

  • This happens before you even access the URL

The HTTP Protocol

• Client-server

• TCP 80 and 443, but it can be any number

• Request based: HTTP method, resource (URL), headers, body

• Common methods:

  • GET: request

  • PUT: create or replace

  • POST: send data

  • HEAD: just the header

  • DELETE: deletes

• Server responses have codes and belong to these categories:

  • 2xx: something was successful

  • 3xx: redirects, server sends you somewhere else

  • 4xx: it’s your fault (client error)

    • 401 bad auth, 403 insufficient permissions, 404 non-existent resource\

  • 5xx: server error

Percent Encoding

• Method for users to submit any data (including binary) as part of an URL

• URL obfuscation

• Script embedding

• Decoding exploits

• Can be recursive