Characterization of Covert Channels in DNS Hamad Binsalleeh †‡, A. Mert Kara †‡, Amr Youssef ‡, and Mourad Debbabi †‡ † National Cyber Forensics and Training Alliance Canada ‡ Computer Security Laboratory, Concordia University, Montreal, Canada {h binsal, ab kara, youssef, debbabi}@ciise.concordia.ca Abstract—Malware families utilize different protocols to es- tablish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families. Keywords—DNS Tunneling, Payload Distribution, Malware I. I NTRODUCTION Attackers are known to use different protocols to hide their activities under the radar by tunneling the communication through existing protocols. Such tunneling can effectively defeat traditional firewalls and intrusion detection systems (IDSs). Initially, attackers start exploiting the Internet Relay Chat (IRC) channels to operate and control their activities [8]. Then, they took advantage of newer protocols (e.g., instant messaging, P2P, HTTP) which largely outdated the use of IRC channels [3]. Also, HTTP and P2P protocols are abused by malicious activities such as Zeus [5] (HTTP-based), and Storm [12] (P2P-based). Recently, DNS comes into play for such an abuse due to its wide availability. DNS is a query and response protocol, which responds to each query with the corresponding pre-defined resource record. Architectural flaws in the DNS protocol attracts botnets to abuse the system for different malicious activities [4], [9], [10], [11]. In 2004, Dan Kaminsky [13] demonstrated the feasibility to bypass restricted networks that allow all DNS traffic, such as commercial WiFi hotspots. In this context, DNS is used as a carrier for other protocols by embedding outbound and inbound traffic into query and response messages respectively. Since then, DNS tunneling has been used to design several application tools [14], which operate covert channels through the public DNS infrastructure. Moreover, these tunnels can be established by using free DNS providers, which are already known to be abused for different types of malicious activi- ties [2]. In RSA 2012, Skoudis [20] mentioned an information theft case, which is carried out by a malware family using the DNS protocol to exfiltrate information. For instance, botmas- ters use DNS query and response packets to carry out malicious instructions and payload updates to individual bots. Recently, few malware families such as Morto [15], Katusha [3], and Feederbot [11], have been identified using the DNS protocol to hide their communications. Due to the inherent nature of DNS, the protocol is quite inefficient as a payload distribution channel compared to other oftenly used protocols. However, DNS infrastructures are still have been abused by botnet families. Such examples indicate that attackers are willing to exploit DNS as an attack channel due to its wide availability. Past work on DNS abuses [11] mainly focused on specific botnets, and has not been comprehensively studied as compared to e.g., P2P botnets [12]. Malicious networks abuse DNS protocol to distribute attack payload by different behaviors. For instance, Morto uses DNS queries to transfer only single attack payload [15]. How- ever, Feederbot [11] exchanges many parts of attack payload information with the infected machine. In this paper, we characterize the malware families that are using DNS protocol to transfer malicious payloads. The proposed method deter- mines and distinguishes between different query and response patterns. It takes a set of DNS query and response messages for a specific domain name, and then determines the DNS traffic exchange pattern. We use our method to highlight the fundamental characteristics of a payload distribution channel. As for the evaluation of our method, we utilize an extensive malware dynamic analysis reports, which contain detailed behavioral actions conducted by malware samples including network communications. The main contributions of this paper can be summarized as follows: • We introduce a technique to determine channel patterns and discuss the effectiveness of each pattern in distributing payload distribution over DNS. We found that most of the malware instances are using a specific pattern that can blend within the daily network traffic. • Evaluation of the proposed method with a 1-year malware dataset covering Jan.-Dec. 2012. The rest of the paper is organized as follows. Related work is reviewed in Section II. Our system is described in Section III. Section IV demonstrates the effectiveness of our proposed approach via an experiment on 1-year malware dataset. We give discussions and limitations of our work in Section V, and Section VI provides the concluding remarks. II. RELATED WORK The use of DNS as a communication medium for payload distribution is relatively new and research activities on this topic are limited. Although, these studies are scattered, they can be roughly grouped under three categories: feasibility of using DNS in malicious activities, detection of malicious channels in the DNS protocol, and detection of DNS tunnels. Feasibility of using DNS for Malicious Activities: Xu et al. [23] introduce a resilient mechanism for bots to create covert chan- 978-1-4799-3223-8/14/$31.00 ©2014 IEEE