Research Tool Release: ApateDNS
Here at Mandiant we deal with our fair share of malicious code. Being able to quickly identify specific information about a piece of malware is imperative. More specifically, knowing which domains a piece of malware uses for command and control (C2) communication is important to on-site incident responders.
To aid analysts in DNS identification, I have written ApateDNS. It is a simple tool that acts as a phony DNS server that can log or manipulate DNS requests being made to it. Malware analysts typically use this to redirect beacon traffic from a guest virtual machine to the host system (or another virtual machine) to monitor beacon and/or communication channels using Netcat or a custom written C2 script. Forensic analysts typically use this tool to quickly extract DNS names from malware samples.
ApateDNS automatically sets up your Windows network configurations by attempting to determine the default route or current DNS settings. This is most useful when in a guest virtual machine since the default route is typically the host machine. As shown in the figure below, ApateDNS has found the default route in my virtual machine (192.168.239.1) and uses this IP address for any DNS request on my virtual host. The user may override this by specifying an IP address for DNS Reply IP.
Malware often uses multiple C2 domains. To catch this, ApateDNS allows a user to specify a number of non-existent DNS (NXDOMAIN) replies for any possible DNS lookup. As seen in the figure below, the malware returns a single, non-existent domain for each DNS request (since a “1” is entered for “# of NXDOMAIN’s”). The example malware beacons and detects if a valid IP address has been resolved from a DNS request, if not, it will continue to walk down its C2 domain list. By using the NXDOMAIN functionality, we see three different DNS requests made by the malware: evil1.example.com, evil2.example.com and evil3.example.com.
ApateDNS gives malware analysts an easy way to control DNS on their machine and forensic analysts a way to monitor DNS requests made by malware. Of course, not all malware utilizes DNS and some may not beacon without a specific set of conditions being satisfied. ApateDNS’s use cases are not limited just to malware. It can be used for any purpose where a user may want to monitor outbound DNS requests or traffic.
Feel free to check out ApateDNS here.