Tuesday, June 14, 2011

Emulating Zeus DNS Traffic to Test the Defenses

Via rapid7 I have found a nice post that uses Metasploit to test how our defenses react when a host is infected with the Zeus trojan.

In a nutshell,  the author uses the module  auxiliary/vsploit/dns/dns_beacon  to resolve a list of DNS  domain names listed in the  Abuse.ch's Zeus Tracker. Since these domain names are known to spread malware, our defenses should react and report the incident.

Please, note the difference between resolving the DNS name and connecting to the server to fetch the malware. I might be wrong, but many IDS/IPS systems only flag the connections to the C&C and the dropper, like the Emerging Threats Signatures.

The IDS/IPS should inspect the DNS traffic in order to flag our tests. The other option is to setup a DNS Sinkhole that redirects these requests, in conjunction with an IDS rule that flags this redirection.

No comments:

Post a Comment