May 14 – 15, 2017
Europe/Madrid timezone

The Dark Side of the DNS

May 15, 2017, 3:00 PM
Standard Presentation Public Workshop Public Workshop: Security and Privacy


Mr Jaeson Schultz (Cisco Systems)


1. **Data exfiltration using the DNS** A. Multigrain malware, and other examples of the use of DNS for data exfiltration 1. Detecting subdomain-type data exfiltration through statistical analysis of subdomain lengths B. Use of DNS 0x20 / XQID / IDN as a covert channel 1. Cisco Talos stats on malware’s use of mixed-case, XQID, and other queries C. Passive DNS "dead drops" 2. **Malware C2 using the DNS** A. DNSMessenger malware and bi-directional command and control communication using DNS TXT records 3. **Bulletproof hosting** A. Malicious use of the .bit TLD (NameCoin) B. Malware using Tor2Web


Over 90% of malware makes use of the Domain Name System. While many organizations implement strict security protections as it pertains to web traffic, email, etc., they typically have less stringent controls in place to protect against DNS-based threats. Attackers have recognized this fact and are using the DNS for data exfiltration, establishing bi-directional command & control channels, and obtaining bulletproof domain hosting. In this presentation we will discuss creative ways that cyber criminals abuse the DNS along with countermeasures defenders can use to help protect their networks.

Talk Duration 30 Minutes

Primary author

Mr Jaeson Schultz (Cisco Systems)

Presentation materials