You’ve finally gotten into an adversary’s network and are running a piece of malware that will do your bidding to probe and attack their systems.

The only question is: how do you send commands to that malware?

The ideal channel would:

1) be open on almost every single network and

2) have lots of other traffic to hide the covert communication.

Unfortunately, this exists — DNS.

The same protocol we use to look up hostnames can also carry command and control traffic.

Here’s how it works:

- The attacker creates a domain (like “polkawrench.info”) used for command and control, and sets up a server ready to answer queries to it.

- The infected system announces itself by making a DNS query in that domain, such as “6.7.8.9.newsystem.polkawrench.info”. The attacker’s DNS server pulls this apart and realizes that the computer at “6.7.8.9” is a newly infected system and sends back some generic acknowledgement like “1.1.1.1”.

- Now the infected system checks in every 5 minutes by placing a query like “timestamp.6.7.8.9.checkin.polkawrench.info”. The attacker’s DNS server replies with “0.0.0.0” to say “I have no work for you to do.” This goes on for hours or days.

- When the attacker does have a job to do, it waits until the next check-in and responds with “2.6.8.7” or some other code describing what to do. The infected system does that task and sends back the results on the next check-in.

The advantage is very clear; since nearly all networks allow DNS requests to go out and DNS replies to come back, the attacker has an almost guaranteed way to communicate with their infected systems. Like most network threats, the attacker has a short wait for the next check-in to send a command. The slightly more annoying downside is that DNS requests and replies don’t have much space. DNS requests can be up to 256 characters. Replies from the attacker’s DNS server can be longer if we send back TXT answers (generic text) instead of A answers (like our “2.6.8.7” address above).

As network defenders, it’s our job to run a threat hunting tool that can look for domains (like “polkawrench.info”) that have a lot of unique requests and replies crossing the perimeter. These are worth investigating.