The use of DNS as a covert C&C communication channel has been widely documented and is fairly prevalent in the wild. Last week,
Palo Alto Networks
analysed
its use in the various tools of Iran’s OilRig (APT34) group.
But DNS is not unique in this. As long ago as 2006, ICMP packets were
being used
in a trojan to exfiltrate data.
Another protocol that opens up the ability for C&C communication is NTP, the protocol used for clock synchronization.
Today, we publish a paper by researcher Nikolaos Tsapakis who looked at the possibilities of NTP packets carrying data and what can be done to detect this use of NTP.
Leave a Reply