Techrunner
asked on
Botnet C&C DNS response Malicious Traffic
Hello Experts
We have Windows 2008 R2 with Active Directory and DNS service installed on it
We have approx. 120 clients member of this domain and clients are pointing to this server for DNS queries
Furthermore DNS server is configured with ISP's DNS server IPs as forwarders to query external domain.
This server is installed in someone else network infrastructure and there IPS mechanism has detected the malicious traffic generated by the server
Following is the error message
“ Botnet.DGA HEURISTIC DETECTION OF COMMAND AND CONTROL CENTER IN DNS RESPONSE”
Can someone please help how to find the cause of this malicious traffic and disinfect the server ?
What does the error message means ?
Appreciating any help and suggestions
We have Windows 2008 R2 with Active Directory and DNS service installed on it
We have approx. 120 clients member of this domain and clients are pointing to this server for DNS queries
Furthermore DNS server is configured with ISP's DNS server IPs as forwarders to query external domain.
This server is installed in someone else network infrastructure and there IPS mechanism has detected the malicious traffic generated by the server
Following is the error message
“ Botnet.DGA HEURISTIC DETECTION OF COMMAND AND CONTROL CENTER IN DNS RESPONSE”
Can someone please help how to find the cause of this malicious traffic and disinfect the server ?
What does the error message means ?
Appreciating any help and suggestions
ASKER
Thanks Ultralites for your detailed response
What we supposed to do In this case ? As I have to answer the InfoSec Team with a resolution
What we supposed to do In this case ? As I have to answer the InfoSec Team with a resolution
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
Any tips how to find the infected host in the network ?
Any tips how to find the infected host in the network ?
if you know the name requested within DNS you should enable DNS logging and check the files for the client requested this domain.
my firewall use ATP also and tell me "DNS request to baddomain.com blocked". So it is simple to find the infected client.
But consider (as explained by ultralites): not every hit means you are infected. Often a singe script within a banner or a link within a mail triggers this events. if the event repeats over some time, you should check thoroughly your systems.
my firewall use ATP also and tell me "DNS request to baddomain.com blocked". So it is simple to find the infected client.
But consider (as explained by ultralites): not every hit means you are infected. Often a singe script within a banner or a link within a mail triggers this events. if the event repeats over some time, you should check thoroughly your systems.
ASKER
Our internal DNS was configured with three forwarders i.e. 8.8.8.8,4.2.2.2,4.2.2.3 I've remove the 4.2.2.2 and 3, the alert has stopped on IPS device.
Strange? I'm not sure if this DNS servers were the root cause of the issue?
Strange? I'm not sure if this DNS servers were the root cause of the issue?
Could be those DNS servers have a c&c host IP cached... keep an eye on it.
Glad the warning log is no longer coming up.
Glad the warning log is no longer coming up.
Do also watch out for WPAD leaks
Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.https://www.us-cert.gov/ncas/alerts/TA16-144A
ASKER
The log started appearing again
These time 8 IPs from the same subnet hitting the same botnet signature
These time 8 IPs from the same subnet hitting the same botnet signature
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Btan
Attached is the screenshot I recieved from the team.
I tried malware tools malwarebytes, adwcleaner but nothing detected on those infected systems.
c--C.png
Attached is the screenshot I recieved from the team.
I tried malware tools malwarebytes, adwcleaner but nothing detected on those infected systems.
c--C.png
I suspect the rootkit or backdoor may be hiding within. May need to scan using other tool ... GMER, HITMANPRO, JUNKWARE REMOVAL KIT.. Do consider refurnish if these machine has never created such symptoms...but also check if any gateway or firewall is fronting them as in the past I seem such device is false positive as they are trying to update their blacklisted dns ..
ASKER
Attached is the alert window I tried the above tool but thing detected
c--C.png
c--C.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually two of them are my domain controllers :( :(
I used Malwarebytes and McAfee Stinger but no luck
I used Malwarebytes and McAfee Stinger but no luck
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Btan
How I can isolate the domain controllers, most hits are coming to these servers ?
How I can isolate the domain controllers, most hits are coming to these servers ?
better to have the Firewall blocking those malicious source and allow only those legit one. Harden your DNS services https://technet.microsoft.com/en-us/library/cc770432(v=ws.11).aspx
Hopefully not DNSChanger malware as I know it is supposed to so to non legit DNS server and bypass the official DNS server..I dont think is your case https://www.us-cert.gov/ncas/current-activity/2012/02/23/DNSChanger-Malware
Hopefully not DNSChanger malware as I know it is supposed to so to non legit DNS server and bypass the official DNS server..I dont think is your case https://www.us-cert.gov/ncas/current-activity/2012/02/23/DNSChanger-Malware
You might want to look at your DC logs esp for DNS service. It is unlikely that your DCs are infected, but they are recursively querying for your internal network.
So one or many of your internal machines are asking your DCs to resolve the DGA domains that are being checked by the Malware infected hosts
So one or many of your internal machines are asking your DCs to resolve the DGA domains that are being checked by the Malware infected hosts
ASKER
@btan
Firewall would be difficult as our clients and DCs gateways are pointing to the property owner's router we have no administration
We are just given separate VLAN
@ultra
Sure
I will check the logs the last screenshot I shared mainly contains the DC's IP
Firewall would be difficult as our clients and DCs gateways are pointing to the property owner's router we have no administration
We are just given separate VLAN
@ultra
Sure
I will check the logs the last screenshot I shared mainly contains the DC's IP
Regardless have to harden your own DNS server
To help prevent anyone outside your company from obtaining internal network information, use separate DNS servers for internal and Internet name resolution. Your internal DNS namespace should be hosted on DNS servers behind the firewall for your network. Your external, Internet DNS presence should be managed by a DNS server in a perimeter network. To provide Internet name resolution for internal hosts, you can have your internal DNS servers us a forwarder to send external queries to your external DNS server. Configure your external router and firewall to allow DNS traffic between your internal and external DNS servers only.
Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders. A DNS server requires recursion only if it responds to recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use iterative queries to communicate with each other.
Since the DNS servers are AD integrated, this by default ensures many of the hardening best practices are in place, but do make sure your DNS servers have the following setting checked:
In Server options, select the Secure cache against pollution check box. This setting prevents an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server.
In Server options, select the Secure cache against pollution check box. This setting prevents an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can try the BPA tool to verify hardening in place. Whitelisting is part of the best practice.
https://technet.microsoft.com/en-us/library/dd391963(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd391963(v=ws.10).aspx
ASKER
Sorry for the delayed response
We drafted a plan by isolating the infected computers and resintalled the OS on them
So far to botnet alerts
But until we couldn't find the root cause
Just a question what is the mechanism or appliance is in use detecting the attacks
Can you please tell me the brand as per the previous screenshots I shared ?
Thanks
We drafted a plan by isolating the infected computers and resintalled the OS on them
So far to botnet alerts
But until we couldn't find the root cause
Just a question what is the mechanism or appliance is in use detecting the attacks
Can you please tell me the brand as per the previous screenshots I shared ?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not sure that I could tell you the specific IDS in use from the screenshot.
Good job isolating and reinstalling on the infected machines.
Hard to know exactly how they became infected.
Like btan suggests, you could look into a DNS security app like infoblox.
Good job isolating and reinstalling on the infected machines.
Hard to know exactly how they became infected.
Like btan suggests, you could look into a DNS security app like infoblox.
ASKER
Thank You btan and ultralites.
Hope I have assigned the points properly.
Hope I have assigned the points properly.
The detection heuristics are based on an enumeration of possible lookup techniques that botmasters are likely to use to perform reconnaissance.
This does not necessarily mean that you are infected, but there is a botnet doing reconnaissance on your network, specifically on your DNS lookups and forwarding.