Malware Covert Channels

Not that long ago I did a deep dive into the techniques that malware uses to sneakily exfiltrate data and/or communicate with Command & Control (C2) servers. Perhaps unsurprisingly, there are many many different techniques, and probably more as yet undiscovered.

The easy way is to just pay crypto for a bulletproof host in a non-INTERPOL country and buy either completely random domains like xqlkhyxdgwyazzr.info or else plausibly-innocuous domains like sggdb.com (both of these were actually used in real malware campaigns, btw). Then your implant simply calls out to these domains over HTTP and receives instructions. Not particularly clever. Not particularly creative. Probably likely to trip EDR heuristics.

What malware c2 really needs

Truly resilient c2 requires a more sophisticated approach. My favorite is abusing the unencrypted parameters in TLS handshakes to embed information by permuting the order of parameters, as demonstrated by HELOL. I think this is a really creative, sneaky, underhanded approach.

Another one that’s popular and has been around for a while now is to simply use DNS queries. Once you get your c2 domain up and running you can set TXT or other records and have the implant simply query DNS to receive instructions. Also really cool, though perhaps not as creative.

What I like about (ab)using DNS in this way is that it’s practical and resilient. Networks simply cannot block DNS queries, or else everything comes to a screeching halt. You can try black- or white-listing domains, but that’s a game that the Blue Team is never going to win. So, DNS is pretty much always going to be available.

What I miss about the old internet

I miss the obscure corners of the old internet, meaning pre-2010 or so, where you could still discover things that weren’t global. PHPBB forums catering to specific communities. Mailing lists. Telnet BBSes. IRC in the late 90s. Topsites. The very early years of Tor. Places where you’d discover something new, that might inspire a sense of wonder or curiosity. A lot of these places or things still exist today, but most are a shadow of their former selves.

So I made one

With that in mind I wrote a common lisp BBS that uses covert channel techniques to create a purely DNS-based message transport. I opted for this rather than TLS ClientHello because a message board over e.g. HELOL requires a custom client. And if you’re going to write a custom client, you might as well just use Matrix. By contrast, one can use a DNS-based BBS with standard command-line tools like dig or drill.

Depending on when you’re reading this, there may be a live demo running. Try:

$ dig @bbs.stackgho.st -p 31337 wtf.bbs.stackgho.st TXT

If that doesn’t work, you can take a look at the source code on github