Dynamic DNS Mind Map for Threat Intelligence

By

 




The Domain Name System (DNS) translates domain names into IP addresses, which browsers use to load web pages. However, threat actors often abuse legitimate utilities for offensive purposes. In fact, several legitimate DNS-related services have been repurposed by malicious actors to support their operations.

So, how is DNS abused by threat actors and how can it be exploited? From the list below, you can see common methods:

  1. Hosting a Command-and-Control (C2) Server :  Threat actors use DNS to connect infected devices to their C2 infrastructure.

  2. Loading Exploits via Browsers : DNS can direct users to domains that deliver custom browser exploits.

  3. Redirecting Users to Malicious Websites : Attackers can manipulate DNS to lead victims to phishing or malware-hosting sites.

The main question is: how can we identify if a website uses Dynamic DNS?

To determine this, we first need a list of common Dynamic DNS (DDNS) suffixes, such as the following:

  • 3utilities.com

  • bounceme.net

  • hopto.org

  • myftp.biz

  • myftp.org

  • myvnc.com

  • no-ip.biz

  • no-ip.info

  • noip.me

  • no-ip.org

  • redirectme.net

  • servebeer.com

  • serveblog.net

  • servecounterstrike.com

  • serveftp.com

  • servegame.com

  • servehalflife.com

  • servehttp.com

  • servemp3.com

  • servepics.com

  • servequake.com

  • sytes.net

  • zapto.org

By comparing a website’s domain against such a list, we can identify whether it belongs to a Dynamic DNS provider, which is often abused by threat actors for malicious purposes.

In addition, you can find a mind map visualization of the top Dynamic DNS suffixes in the image below:


So, how can we hunt for a malicious DDNS that may be hosting malware or be used by malware to communicate? The answer is by relying on threat intelligence platforms such as VirusTotal.

For example, in VirusTotal, we can search for no-ip.biz and then navigate to the Relations section. Inside the Subdomains label under relation labels, we can see dozens of malicious DNS entries, as shown in the picture below.



Then we will click on one of the subdomains and again navigate to the Relations section:



As we can see from the Communications section, we have a sample that communicates with this malicious DDNS. For more accurate results, we can click on the file within the Communications section and check its Relations section:


As you can see from the previous image, a malicious sample communicates with our DDNS of interest. Based on the roadmap I provided, you can rely on it to make your investigations and analysis more accurate. Additionally, you can use other platforms that serve threat intelligence purposes.

Comments

Post a Comment