Command and Control via DNS, without being obvious

There’s plenty of ways to make a Command and Control, the whole purpose is to reliably communicate with your zombies in a way others…

Command and Control via DNS, without being obvious
Photo by Thomas Jensen on Unsplash

There’s plenty of ways to make a Command and Control, the whole purpose is to reliably communicate with your zombies in a way others wouldn’t notice… there’s lots of ways to do that. Unfortunately, some people choose to do CnC via URLs and domain names using pseudo random strings… that, to me, is inefficient. Why not hide information in the noise?

I was playing GTA V when I stated thinking about ways to have a CnC communicate in a way that it looks like regular traffic. One way I thought of is to communicate by having a DNS server communicate, but to do so by making it look like it’s just a regular DNS.

Let’s say we want to communicate with a bunch of nodes, but let’s make it easier on the programmer, they’d probably want ASCII characters to map actions. Let’s say there’s a bunch of simple things I need the malware to do:

  • Shutdown
  • Reboot
  • Update
  • Exfiltrate data
  • DDoS an IP

Those are pretty simple things. How can I communicate those actions to my zombies? Most organizations don’t check to make sure DNS is only going to certain IPs, but let’s assume they all check DNS for strange traffic (e.g. pseudo random stings). Let’s avoid this.

With this method you don’t need any special software developed, you can use a plain old BIND server to be your CnC. You’d do this by giving out IP addresses to those that ask for DNS records. I’m going to assume you know how DNS works, or this is already over your head. Let me explain.

Let’s take shutdown as an example. How would you communicate that in a way no one would easily recognize, or look suspicious? Hell, I could look at some of these URLs and know they’re suspicious. What about having the software query facebook.com? What if it then responded with 83.72.85.84? Now, I know that’s not a Facebook IP address… but doesn’t that look like normal and non-suspicious DNS traffic? So what is that saying?

Well, your software should take that IP address and convert it to decimal. That will give you 83728584. Now we need to convert that to ASCII, just for the programmer (be sure to add a space after every second digit). That should give you SHUT. That’s a four letter code you can represent to be anything you want, I just chose SHUT to be the command to shutdown.