DNS whitelisting in NetworkMiner

One of the new features in NetworkMiner Professional 1.5 is the ability to check if domain names in DNS requests/responses are ânormalâ or malicious ones. This lookup is performed offline using a local copy of Alexa's top 1 million domain name list.
We got the idea for this feature via Jarno NiemelĂ€'s great presentation titled âMaking Life Difficult for Malwareâ. Despite working for F-Secure Jarno presents several smart ideas for avoiding malware infections without having to install an AV-product.
One of Jarno's slides contains the following suggestions:
Block Traffic To Sites Your Users Donât Go To
Block subdomain hosting TLDsBlock domains that provide dynamic DNS
- co.cc, co.tv, ce.ms, rr.nu, cu.cc, cz.cc, vv.cc, cw.cm, cx.cc, etc
Block file sharing sites, some malware use them
- *dyndns*, *no-ip*, 8866.org, thescx.info, 3322.org, sock8.com
For strict policy, allow DNS resolving only to Alexa top 1M[1]
- fileleave.com, dropbox.com, rapidshare.com, megafiles.com
- Tip: Instead of null routing domains set up landing page
- Either with a link that allows domain or IT ticket
Preventing users from visiting sites outside of the top 1 million websites (according to Alexa) sounds a bit harsh. In fact, we at Netresec just recently made it into the top 1M list (the current rank for netresec.com is 726 922). There are also many good and legit sites that are not yet on this list. Our idea is, however, to give analysts a heads up on queried DNS names that are not on the top 1M list by displaying this information in NetworkMiner's DNS tab.

The screenshot above contains a lookup for the domain âoffice.windowupdate.comâ (note the missing âsâ in âwindowsâ). This domain name was previously used by the C2 protocol Lurk (see Command Five's report âCommand and Control in the Fifth Domainâ for more details). The âAlexa Top 1Mâ column in NetworkMiner's DNS tab indicates whether or not the domain name is a well known domain. The malicious âoffice.windowupdate.comâ is marked with âNoâ, while the proper âwww.update.microsoft.comâ is indeed on the list. It is, however, important to note that only the second-level domain is checked by NetworkMiner; i.e. in this case âwindowupdate.comâ and âmicrosoft.comâ.
The DNS whitelisting technique can also come in handy when dealing with malware that employs domain generation algorithms (DGAs) (see the Damballa blog for additional info regarding DGAs). It is probably safe to say that these auto-generated domains should never show up in the Alexa Top 1M list.
Posted by Erik Hjelmvik on Wednesday, 02 October 2013 22:30:00 (UTC/GMT)
Tags: #Netresecâ #DNSâ #domainâ #DGAâ #malwareâ #Alexaâ