The First Malware Abuses DNS over HTTPS (DoH)

Recently, the idea of data privacy and security has gained a lot of traction. Legislation like the EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are signs of this as governments take action to protect the sensitive data entrusted to organizations by their customers.

However, the progress in data privacy is not limited to governments. Organizations like Mozilla have been moving to improve customers’ level of privacy by implementing the DNS over HTTPS (DoH) protocol, which is designed to plug one of the biggest privacy holes in the modern Internet.

However, while this protocol benefits users, it can be used for malicious purposes as well. The first malware using DoH has been discovered in the wild. Leveraging this protocol makes malware much more difficult to detect, increasing the importance of deploying cybersecurity defenses capable of minimizing the probability of a malware infection occurring in the first place, like a web application firewall (WAF).

Improving Privacy: DNS over HTTPS

Before digging into how malware abuses DNS over HTTPS (DoH), it’s important to understand how DoH works, and, before that, DNS. The Domain Name System (DNS) is designed to make using the Internet easier by implementing a lookup system for IP addresses based on domain name.

When you visit a website, you probably don’t type in an IP address like 127.0.0.1. Instead, you’ll type in a domain name, like google.com. However, this creates a problem where your computer needs to know the IP address to contact the destination computer but only knows the domain name. Maintaining a complete list of IP to domain mappings is difficult or impossible due to the size of the list and the fact that it changes constantly as new ones are added or removed.

This is where DNS comes into play. DNS is a hierarchical structure, where special DNS servers maintain lists of the computers at each level of the domain. By contacting a .com DNS server (whose IP it has stored), a computer can find the IP address for the google.com DNS server. Asking that server for a particular Google URL (like mail.google.com) produces the IP address that the computer needs to send its message.

The issue with traditional DNS is that messages are sent in plaintext, so anyone with access to your traffic can real them. This is a problem for privacy since DNS requests state the exact website that you’re trying to visit in your browser. Even if this is nothing embarrassing, the ability to monitor your web traffic can allows an attacker to learn a lot about you, which enables spear phishing and other social engineering attacks.

Enter DNS over HTTPS (DoH). This new protocol, which is being actively deployed, plans to send all DNS requests over HTTPS (encrypted web traffic). As a result, there is no leakage of your DNS requests, making web traffic harder to track.

While this protocol is actively being rolled out by web browsers (Firefox is a major champion), it’s not universally loved. Some organizations use DNS monitoring for legitimate purposes (like law enforcement) and don’t want this capability taken away. A major opponent of DoH are UK Internet Service Providers (ISPs), to the point of calling Firefox an “Internet Villain”. As a result, Firefox does not plan to enable DoH by default in their browser in the UK.

Malware Using DoH

DNS over HTTPS (DoH) is designed to improve the privacy of Internet users. However, legitimate users aren’t the only ones wanting more privacy protections. The first malware strain to use DoH was discovered and reported on July 1, 2019 by security researchers.

Malware taking advantage of DoH demonstrates that the new protocol is a double-edged sword. A common malware detection strategy is to perform passive DNS request monitoring. Malware commonly reaches out to command and control (C2) servers under the attacker’s control to exfiltrate stolen data or request instructions. Organizations commonly maintain DNS blacklists of known malicious domains. If any computer within the network makes a DNS request for one of these domains, the security team knows that a machine in the network is infected with malware and can begin incident response.

With DoH, these security controls will be much less effective. The same encryption that protects the privacy of legitimate DoH users will also protect that of malware using it to contact C2 servers. Cybersecurity defense solutions will no longer be able to read these requests and detect malware based on them, making malware detection much more difficult.

The Need for Improved Security

DNS over HTTPS (DoH) is a protocol designed to improve the privacy and security of Internet users by encrypting their DNS requests. As we mentioned before, DNS requests are transmitted in cleartext, making it possible for anyone with access to the communications to track the websites being visited by a user. With DoH, this will no longer be possible.

However, the impacts of DoH are bittersweet. While users have increased privacy, malware can also make use of DoH, making it more difficult for security teams to identify and remediate malware infections. As a result, alternative methods of detecting and protecting against malware infections are even more important.

With DoH, organizations should prioritize improving their cyber defenses to help minimize malware’s ability to gain access to and a foothold on the network in the first place. Deploying cyber defenses like a Web Application Firewall (WAF) and similar solutions designed to protect against attacks in an organization’s Internet-facing architecture can do a great deal to minimize the threat of malware attacks.

Jessica Foreman:
Related Post