Analysis of DNS Tunneling
As with PoisonFrog, Glimpse uses A resource records to communicate with its controller. Additionally, Glimpse can be set to use text mode, which makes use of TXT resource records to receive tasking. While in text mode, Glimpse does not take advantage of the recursion typically observed in DNS communications (i.e., the infected victim sends DNS queries directly to the controller). Communicating directly to the controller, while operationally viable, may not be successful in environments that limit the use of external DNS servers.
DNS Invocation and Resource Records
The methods employed by Glimpse to perform DNS communications are determined by the mode in which it is operating (i.e., text mode or ping mode). In text mode, Glimpse manually builds a DNS query to be transmitted over a UDP socket. In ping mode, Glimpse uses a .NET method. The table below describes the operational mode, record types used, and the method used to send the query.
Query Building Overview
The first DNS query by Glimpse requests the mode to be used in future communications with the controller (i.e., ping mode or text mode). Prior to making any query, a function called AdrGen is used to build a query string. This function takes several parameters, most of which are represented in the subdomain label(s) of the query string. Below is a list of AdrGen parameters.
As mentioned above, one of the parameters passed to the AdrGen function is the action parameter. Table 5: Glimpse action parameters values for the AdrGen function below contains the possible parameters, a brief description, and return values applicable to the action parameter.
The AdrGen function performs several steps to insert random data into the query string it builds. These types of steps have been seen in other malware to avoid DNS caching and assist with signature suppression. Once called, the AdrGen function builds a string of characters representing the hex range, A-F and 0-9, and randomly selects one to seven hex characters. The random selection of hex characters will serve as random padding in later operations. The function then randomly selects two digits from a range of 0-9. Similar to PoisonFrog, the selected digits will be used to determine the indices to insert parameter values into the control data section of the query string. The table below depicts the structure for how the values above are employed. We refer to this section as the management data section due to its primary functionality:
The control data section of the query string is composed of the victim’s agent ID, the action value parameter, and the part_no parameter. While building the control data section, the AdrGen function makes use of the two randomly generated digits described earlier in the process. The first digit is used as the index within the agent ID to insert the part_no parameter. The second digit is used as the index within the agent ID to insert the action value parameter. Below is an example of the control data section of a query string given some of the values described above.
Based on the values in the table above and random index digits of 4 and 8, the table below depicts how the control data section is created.
After creating the control data section of the query string, the sender_or_receiver parameter is checked in order to put the rest of the query string together. The initial communication with the controller passes the M action which is asking the controller what receive mode, either ping or text, the malware should use. In addition to building the control and management data sections, the AdrGen function is responsible for appending the encoded data, encoded file name (if conducting send operations), and controller domain to the control data and management data. The example below represents the complete query string sent to the controller when the AdrGen function is called with the r (receiver) flag. It is worth noting that this query is made using the [System.Net.Dns]::GetHostAddresses method.
The query to set the receive mode expects an A resource record response from the controller. The controller will respond with one of two responses: 184.108.40.206 will set the receive mode to text. Any other IP address will set the receive mode to ping, although the server-side software suggests 220.127.116.11 will be sent.