Meet Godlua, the first known malware that leverages DNS over HTTPS

onetheycallEric

TS Addict
Staff member

DNS over HTTPS has been gaining momentum. Last October, the Internet Engineering Task Force formally adopted DoH, published as RCF 8484, and while the concept itself isn't new, the concept of malware strains exploiting it is. In their report, Netlab researchers detected a suspicious ELF file, one that was originally thought to be a cryptocurrency mining Trojan.

While researchers haven't confirmed or denied any cryptocurrency mining functionality, they have confirmed it behaves more like a DDoS bot. Researchers have observed that the file works as a "Lua-based backdoor" on infected systems, and have noted at least one DDoS attack levied against liuxiaobei.com. So far, researchers have spotted at least two versions out in the wild, both using DNS over HTTPS instead of a traditional DNS request.

By using DNS over HTTPS, the malware strain can hide its DNS traffic through an encrypted HTTPS connection, allowing Godlua to elude passive DNS monitoring -- an issue that already has cyber security experts alarmed.

Both Google and Mozilla have come out in support of the DoH protocol; Mozilla is currently testing DoH, and Google is now offering DoH as part of its public DNS service. Popular content delivery networks such as Cloudflare also offer DNS resolution over HTTPS.

Permalink to story.

 

Markoni35

TS Addict
Interestingly, each time they add a new feature, it's the source of the next security hole. Maybe they should make things simpler, instead of adding millions and millions of lines of new code, that nobody can really check from the inside.
 

cliffordcooley

TS Redneck
I don't understand why http was not designed to be an extension of DNS security. It should have been DNS that was secured, not the extension of DNS.
 

mbrowne5061

TS Evangelist
Interestingly, each time they add a new feature, it's the source of the next security hole. Maybe they should make things simpler, instead of adding millions and millions of lines of new code, that nobody can really check from the inside.
I like this idea. In fact, I don't think it goes far enough. The logical conclusion is to turn off the internet. It would probably be for the best.