Monday, February 12, 2018

Using malware's own behavior against it

A quick read for a Monday night.

Last week while investigating some noisy events in my security monitoring system, I noticed two competing Windows features filling up event logs: link-local multicast name resolution (LLMNR) put lots of name resolution requests onto the local network segment, which Windows firewall promptly blocked.

LLMNR is the successor to NetBIOS Name Service. Both serve the same purpose: if a computer cannot resolve a name through DNS, it essentially yells out on the local network "hey, anyone know an address for xyzzy?" 

This sounds like a reasonable solution, but it invites abuse. If an adversary has a foothold on my network, they can either listen for and reply to common typos, or can actively interrupt the legitimate DNS and instead give their own answers. In either case, the adversary can provide fake addresses for servers and websites, directing users to malicious places (and possibly stealing usernames and passwords along the way).

Generally speaking, I recommend turning off LLMNR and NBNS, as well as using a trusted DNS provider that prevents access to known-malicious websites.

Today I came across a slick way to use such malware's own behavior against it. LLMNR "responder" malware replies to requests with a bogus address, so they generally respond to *any* request. So Respounder spits out bogus name requests and looks for responses.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen