MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

Daihes, Yael; Tzaban, Hen; Nadler, Asaf; Shabtai, Asaf

doi:10.48550/arxiv.2008.02003

Cited by 1 publication

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In future work, we encourage research aimed at identifying additional DNSAML services, for instance using periodic queries over the DNS [15], and the responsible disclosure of anti-malware solution vulnerabilities as a result of the use as mentioned in this study.…”

Section: Discussionmentioning

confidence: 99%

On The Vulnerability of Anti-Malware Solutions to DNS Attacks

Nadler¹,

Bitton²,

Brodt³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Anti-malware agents typically communicate with their remote services to share information about suspicious files. These remote services use their up-to-date information and global context (view) to help classify the files and instruct their agents to take a predetermined action (e.g., delete or quarantine). In this study, we provide a security analysis of a specific form of communication between antimalware agents and their services, which takes place entirely over the insecure DNS protocol. These services, which we denote DNS anti-malware list (DNSAML) services, affect the classification of files scanned by anti-malware agents, therefore potentially putting their consumers at risk due to known integrity and confidentiality flaws of the DNS protocol.By analyzing a large-scale DNS traffic dataset made available to the authors by a well-known CDN provider, we identify antimalware solutions that seem to make use of DNSAML services. We found that these solutions, deployed on almost three million machines worldwide, exchange hundreds of millions of DNS requests daily. These requests are carrying sensitive file scan information, oftentimes -as we demonstrate -without any additional safeguards to compensate for the insecurities of the DNS protocol. As a result, these anti-malware solutions that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine.We showcase three attacks applicable to at least three antimalware solutions that could result in the disclosure of sensitive information and improper behavior of the anti-malware agent, such as ignoring detected threats. Finally, we propose and review a set of countermeasures for anti-malware solution providers to prevent the attacks stemming from the use of DNSAML services.

show abstract

Section: Discussionmentioning

confidence: 99%