Detecting DNS Data Exfiltration
Diposting : Kamis, 14 Jul 2016, Penulis : Martin Lee, Jaeson Schultz and Warren Mercer, Talos (Cisco Blog)

The recent discovery of Wekby and Point of Sale malware using DNS
requests as a command and control channel highlights the need to
consider DNS as a potentially malicious channel. Although a skilled
analyst may be able to quickly spot unusual activity because they are
familiar with their organisation’s normal DNS activity, manually
reviewing DNS logs is typically time consuming and tedious. In an
environment where it might be unclear what malicious DNS traffic looks
like, how can we identify malicious DNS requests?
We are familiar with common DNS requests such as requesting the IP
address of ‘’, but what kind of request would be so unusual
as to require investigation? Malware could encode stolen data as the
subdomain part of a DNS lookup for a domain where the nameserver is
under control of an attacker. A DNS lookup for
‘’ would be forwarded to the
nameserver of, which would record
‘long-string-of-exfiltrated-data’ and reply back to the malware with a
coded response


Disclaimer | Copyright © 2013 - Id-SIRTII/CC
Id-SIRTII/CC - Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center
Menara Ravindo Lt. 17, Jl. Kebon Sirih No. 75 Jakarta Pusat, 10340, Indonesia
Member of: