Finding malicious usage via Capture, Storage, Analysis and Visualization of DNS packets

Abstract

The first step of accessing any resource over the internet is to find the IP address of the hosting server corresponding to the easy to remember domain name. For this purpose, the Domain Name System (DNS) was introduced in 1985. We can think of DNS as the phone-book directory of the internet. DNS is fundamental to the proper functioning of the modern internet and without DNS it will be very difficult, if not impossible, to navigate the modern internet. However, like any tool, it is being used for both benign and malicious purposes. Malicious programs use algorithmically generated domains to rendezvous with their command and control server to receive tasks to be performed. DNS has also been used as a covert channel for data exfiltration. Analysis of DNS logs can reveal suspicious domains queried by infected hosts and thus can help prevent and reduce security incidents in a network. Due to high volume and distributed nature, capturing, logging and analyzing DNS data is non-trivial. In this thesis, we provide a framework for capturing, logging, aggregating and analyzing DNS data and show the results by applying our methods to a university-wide DNS server. We were able to find hosts which were making Web Proxy Auto Discovery(WPAD) queries which is used by hosts to automatically find and use web proxy servers available in a network but also makes those hosts vulnerable to Man-in-the-Middle(MITM)attack by rogue hosts connected to the same network. The framework also helped us quickly detect and find all hosts in our network which were infected by backdoor put in CCleaner, very popular utility software for maintaining Microsoft Windows systems. Investigation of suspicious domains reveals hosts that we believe are running Potentially Unwanted Programs (PUP).