Hello, welcome to the Monday, July 8, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from London, England.

DNS over HGPS is in the news again or not depending on how you interpret an analysis done by Chihu 360 or NetLab

360 of a recent godlua Linux Trojan. One of the special features of this particular piece of malware

is that it has a number of redundant command and control channels.

Now, one thing that it does according to the NetLab 360 analysis is it uses DNS over

HTTP to retrieve a text record with the particular command control server's name.

Now, Curl co-developer Daniel Sternberg actually noted that the protocol being used here is not actual DNS over HTTP.

Instead, it's more sort of a homemade protocol that's unique to this particular malware.

It does send a request to a website over

HTTP and then in return you do get the host name of the command control server. It's

supposed to connect to but it does not use any of the public DNS over HDPS servers,

and also the protocol being used here would not be compatible with any of these servers.

For Defender, this is an important distinction,

because if the attacker would use DNS over HDPS,

then you could use any defensive techniques that you

typically use for DNS over HDPS, like the blacklists that John Bambenek published last week

and that I mentioned.

This looks more like a standard command control channel over HDPS, so these techniques wouldn't work,

and you would just have to look for standard HDPS analysis techniques.

In the show notes, I will link to two articles here.

...