malware-laptopGot malware? How do you know?

More and more malware is using DNS not only to contact command-and-control servers but as a data exfiltration mechanism that can see your valuable and precious data “leaking” out from the confines of your organisation.

DNS is normally left relatively unsecured compared to other protocols because so many applications and servers depend upon it. Through the DNS forwarding mechanism, internal DNS servers can often resolve Internet DNS names either directly or via DNS servers located in a corporate DMZ.

However, malware can piggy-back onto these queries and use this mechanism to send sensitive corporate data out to the Internet as simple DNS queries. To a next-generation firewall that is looking for suspicious activity, they just look like normal DNS queries, however to a dedicated DNS firewall device, this traffic can be detected and blocked.

DNS firewalls are quite a new proposition, but convincing organisations to deploy them can be a challenge. That’s why we are offering a free DNS malware assessment.

Free malware check

If you are able to perform a packet capture of your outbound DNS queries, you can send this information to Calleva Networks and we will check the traffic for any suspicious activity by parsing it with an Infoblox DNS firewall.

To take advantage of this service, simply perform three traffic capture for 30 minutes at the following times of day:

  • Between 09:00-10:00
  • Between 12:00-13:00
  • Between 16:00-17:00

If you are using wireshark, please specify a packet capture filter string of “port 53” (we only need to see DNS traffic) and save the file as a .pcap file. You will need to specify the interface that is receiving the queries.

If you are using tcpdump, use the following command or variant of it:

tcpdump port 53 -w dns_capture.pcap -s 0

You may need to use the “-i” option to specify the correct interface if your server has multple NICs – specify the one that is receiving the queries from the clients. Obviously, use a different filename for each of the three captures.

Once you have the three pcap files, zip them up and email them to hello@callevanetworks.com – please include your contact details so we can get back to you. Feel free to password protect the zip files if you are worried about security or use an archiving tool that includes encryption, we will call you to ask for the password. If the zip file is too big to email, you can upload it to our FTP/FTPS server – contact us for details.

Here is a sample report that was generated from Infoblox DNS Firewall.

If you need to contact us first, please click below:

Contact us