Scott Register
VP, Product Management

Ixia’s ATI Processor Quickly Detects New DNSMessenger Attack

March 6, 2017 by Scott Register

A new attack has surfaced that can give a remote attacker the ability to install a Trojan on an unsuspecting user’s system and control it. The DNSMessenger attack, recently described by Cisco Talus, uses bidirectional DNS messages to exchange information and commands between a remote system and the compromised workstation. Critically, the attack uses the DNS TXT field in DNS requests to surreptitiously convey Powershell commands and responses until the ultimate Trojan has been planted and the system is fully compromised. 

This attack can be difficult to detect using traditional signature-based tools, because the attack is classified as “fileless” – the initial instructions that kick off the exploit chain are embedded as Visual Basic commands within a Word document. No files ever have to be written to the OS filesystem as part of the ensuing attack. This is part of the larger trend away from signature-based detection systems being effective, as there are simply too many endpoint infection vectors that change too frequently for a signature-based engine to catch. A different approach, which uses different techniques to detect the Command & Control (CnC or C2) communication between the infected endpoint and the remote attacker, is much more effective.

Fortunately, Ixia customers who use the Application and Threat Intelligence Processor (ATIP), available in our Vision ONE and NTO7300 platforms, already have this detection capability. As part of our ongoing security research and development, Ixia built reporting of the DNS TXT field contents into our IxFlow extensions to IPFIX/Netflow. By using any of our partner tools, such as Plixer Scrutinizer, users can quickly scan all DNS communications for the existence and contents of the DNS TXT field.


Figure 1. ATIP IxFlow configuration

Configuration is easy; simply bring up the Netflow settings screen on the ATIP user interface, and select DNS TXT. ATIP will then extract the DNS TXT field from any queries it observes, subject to whatever filter criteria you’d like to apply, and supply that data on a per-flow basis. Many other security-related metadata fields may also be selected here, such as encryption information and HTTP URI. On the downstream analysis tool, it is simple to then run a quick search for any internal hosts sending DNS queries containing a populated TXT field, and even examine the contents of those fields for suspicious commands. 

Have a question for Ixia’s security experts? Feel free to reach out to us on Twitter at @IXIA_ATI or me directly at @swregister or