NTX Use Case – Malware

How does malware use DNS to harm your business? How can you use that to turn the tables?

Malware has been a scourge on the internet for decades – why is it still a problem? Below are a few reasons why malware remains an issue.

Firstly, as soon one malicious hacker releases software that exploits a particular vulnerability, other hackers replicate it and change it. If you’re running cyber security software that looks for specific malware footprints, it will require very frequent updates.

With rare exceptions though, the underlying techniques behind malware haven’t changed for a while. What changes is the way malware is bundled and packaged, to make it more effective and more difficult to detect.

The second reason is that a whole criminal ecosystem has sprung up around making malware easy and cheap to use. It’s no longer the lone, malevolent developer, sitting in darkness, hunched over a keyboard that you have to worry about, but ordinary petty criminals.

They can simply log on to a server on the dark web where they fill in a simple form saying how many attacks they want to launch, what type and where. Payment is by virtually untraceable bitcoin and, as the services cross international borders, enforcement is very difficult.

The risk of the criminals using the service being caught is extremely low, certainly compared with other, more traditional crimes like burglary, mugging or robbing banks. Occasionally international task groups will take down groups of servers controlled by a particular criminal gang but another will quickly spring up in its place.

As the police are putting their limited cyber security knowledge and resources into going after those running the infrastructure, the thieves on the end are unlikely to be targeted. In fact the police are often themselves victims – witness the ransomware attack on the Police Federation headquarters. And the most well-known attack of recent years, the WannaCry campaign that introduced ransomware to the world, was based on ‘EternalBlue’, an exploit developed by the US National Security Agency and stolen by hackers.

Finally, malware is increasingly being used by nation state hackers – there are unofficial wars being waged in cyber space between various different states at different levels.

The WannaCry ransomware is believed beyond reasonable doubt to have been instigated by the North Korean government. In June 2017 Russian military hackers infected servers housing a popular Ukrainian accounting packages with NotPetya, one of the fastest-spreading pieces of malware ever. Unfortunately once out, there was no way to contain it and damage estimated at over $10bn was caused around the world.

close up picture of chains
Top 5 Tips for Disrupting the Malware Kill Chain

The kill chain is an excellent aid to understanding cyber attacks. How and where can you cut it?

View the publication

How malware gets inside your organisation

Most malware relies on being able to get into a PC or server. From there it can execute its payload, which will vary depending on the type, then replicate itself around the organization and wider networks. You can find out more about the malware “kill chain”, and where it can be disrupted, in this tip sheet.

The main flavors of malware are:

  • Viruses - malicious code attached to an executable file which can infect other systems
  • Backdoors - these create entry points where criminals can login to systems
  • Keyloggers - collect keystrokes, allowing addresses, passwords and other information to be collected
  • Worms - programs that can replicate themselves and spread around networks
  • Spyware - collects private information and sends it to a criminal
  • Trojans - like viruses but can spread by attachment to non-executable files such as images
  • Ransomware - locks a PC until a ransom is paid (although payment often doesn’t unlock the PC)

There are others, and increasingly malware combines techniques. WannaCry, for example, combined executable code that exploited a bug in Windows to gain access, an encryption application to scramble the hard disk, and a worm to spread the infection, as well as other components

DNS and Malware

There are various ways to defend against malware, among them user training, end-point anti-malware products and restrictions on devices so that users can’t install or run software. Nominet’s unique experience from protecting the UK registry for over twenty years has enabled us to develop a different, more robust way to seek out and destroy malware – the NTX platform.

Most malware relies on DNS at some point. This is the ‘phone book’ of the internet, a system of inter-connected and trusted servers that convert the numerical IP addresses into the domain names we all use. But most security solutions allow DNS packets through unchallenged as they are crucial to day-to-day operations of all networks. For a deeper dive into DNS and the place it plays in networks and how it’s abused by malware, take a look at our white paper on demystifying DNS.

Malware, depending on its type, will use DNS to communicate with the servers that control it or to spread around the network – often both. Some forms of malware will even attack the DNS infrastructure itself, to misdirect users or confuse defense mechanisms. Our white paper: “DNS Deep Packet Inspection: Meeting the Malware Threat Head-On” goes into these mechanisms in more detail.

Use malware against itself

But far from this being a weakness in DNS, it makes it the perfect place to spot malware, before it can damage your systems and data. This video gives a 90 second overview – essentially Nominet’s NTX platform searches through hundreds of thousands of DNS packets for those tell-tale signs.

By disrupting the malware mechanism, NTX predicts, detects and blocks malware activity. Central control screens alert your security teams to threats that have blocked and suspicious activity and the platform integrates with a number of leading SIEMs.

This infographic is useful for explaining the concepts and benefits quickly and clearly. NTX can be provided as a managed service suitable for organizations that don’t have their own in-house cyber security team, or installed and run in-house – no specialist hardware is required.

More Resources

Demystifying DNS for Cyber Security

Technical whitepaper explaining the critical role DNS plays in detecting and blocking malware, phishing and other cyber attacks.

Download the Whitepaper
Navy Pattern
DNS Deep Packet Inspection: Meeting Malware Threats Head-On

This whitepaper explains the dangers malware presents and how Nominet's NTX provides the essential protection your business needs.

Download the Whitepaper