NxFilter Tutorial
Tutorial Index

Detecting and preventing malware/botnet  activity
NxFilter can detect and block malwares in your network.

How it works
NxFilter can detect and block malware/botnet  activity by analyzing DNS packets. In reality, malwares and botnets are some form of network client or server programs. They are also heavily relying on DNS protocol to find their masters or peers to communicate with or the victims to attack.

For example, if you have a spambot in your network, the spambot will make a lot of DNS queries for MX records of their target domains to send emails. However, your normal client PC doesn't need to make such kinds of DNS queries.

Another example would be the botnets using TXT record or other DNS records as their communication tool. These are the real world examples of malwares using DNS protocol as their communication tool.

ex1) Trojan.Spachanel was using SPF record.
ex2) W32.Morto was using TXT record.

The other method we can think of would be detecting the domains abnormaly long. When we tested top 100,000 domains by Alexa, all the domains except 142 domains were longer than 30 characters. And there are abnormal domains trying to look like an URL of a target website. The below is an example domain to look like a webpage of www.ebay.co.uk but actually it is a phishing domain.

ex) cgi.ebay.co.uk-item-css.ebay-motors.session.id-sj3mzbasf3k12z581668115.login-wpadmin-sw.buyitnow.sign-in.secure-process657943sddh53zix34235hj65rj.xml.config page.overview.buyer-protection-jsp.wpcs.spiridus-magic.org

So, detecting malware/botnet  by analyzing DNS packet could be an effective technique we can think of. NxFilter provides these blocking options on its policy setup.

  • Max Domain Length
  • Block Covert Channel
  • Block Mailer Worm
  • Allow 'A' Record Only

Among these options, the most effective way of preventing malware/botnet  in your network would be to allow only 'A' record and some common types of DNS queries from your client PCs. In most cases, your client PC doesn't need to make a DNS query for any other records except 'A', 'AAAA', 'PTR' , 'CNAME'.