Some crazed conspiracy wackos wondered why there were so many DNS pings from a Russian bank to a Trump organization server during the campaign. There was much chortling at the wackos by Very Serious People because surely there were many logical explanations for this. Surely it was not a sneaky way to pass data as the fevered wackos suggested. But then the FBI started investigating it. Hmm, imagine that. Maybe the wackos were on to something after all. However, what was happening? It was indeed baffling.
Legendary hacker Jester suggests these large numbers of DNS pings could be tunneling IPv4 data through DNS.
“Hey Bob, It’d be great if you could speak in English, not in incomprehensible geek-lingo” some of you are undoubtedly thinking as your eyes glaze over. Ok, I’ll try. Let’s say you want to pass data back and forth between servers and don’t want anyone to notice. A great idea would be to hide it in plain sight using DNS queries, something that routinely happens a bazillion times a day and no one pays much attention to it. (DNS pings are looking up an IP address based on a domain name at a Domain Name Server, or “DNS”. It’s routine.)
But let’s say instead of doing a regular DNS ping, you are actually passing encoded data back and forth. You are hiding data transfers in the DNS pings. This is “DNS tunneling”.
“So on a DNS tunnel, data are encapsulated within DNS queries and replies, using base32 and base64 encoding, and the DNS domain name lookup system is used to send data bi-directionally. Therefore, as long as you can do domain name lookups on a network, you can tunnel any kind of data you want to a remote system, including the Internet.
Open source Iodine can do this now. There is also malware called DNSMessenger that can do the same thing and which takes control of computers. Neither write anything to disk, making detection and understanding the attack much more difficult. Both are hidden in plain sight.
Once this is completed, the STDOUT and STDERR output that was captured from the Windows Command Line processor earlier in Stage 4 is transmitted using a “MSG” message. This allows the attacker to send commands to be executed directly by the Command Processor and receive the output of those commands all using DNS TXT requests and responses.
I’m just delving into this. Any help, thoughts, feedback appreciated!