1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Meet Godlua, the first known malware that leverages DNS over HTTPS

By onetheycallEric · 5 replies
Jul 3, 2019
Post New Reply
  1. DNS over HTTPS has been gaining momentum. Last October, the Internet Engineering Task Force formally adopted DoH, published as RCF 8484, and while the concept itself isn't new, the concept of malware strains exploiting it is. In their report, Netlab researchers detected a suspicious ELF file, one that was originally thought to be a cryptocurrency mining Trojan.

    While researchers haven't confirmed or denied any cryptocurrency mining functionality, they have confirmed it behaves more like a DDoS bot. Researchers have observed that the file works as a "Lua-based backdoor" on infected systems, and have noted at least one DDoS attack levied against liuxiaobei.com. So far, researchers have spotted at least two versions out in the wild, both using DNS over HTTPS instead of a traditional DNS request.

    By using DNS over HTTPS, the malware strain can hide its DNS traffic through an encrypted HTTPS connection, allowing Godlua to elude passive DNS monitoring -- an issue that already has cyber security experts alarmed.

    Both Google and Mozilla have come out in support of the DoH protocol; Mozilla is currently testing DoH, and Google is now offering DoH as part of its public DNS service. Popular content delivery networks such as Cloudflare also offer DNS resolution over HTTPS.

    Permalink to story.

  2. Danny101

    Danny101 TS Guru Posts: 819   +324

    And the struggle continues...
  3. Markoni35

    Markoni35 TS Addict Posts: 245   +113

    Interestingly, each time they add a new feature, it's the source of the next security hole. Maybe they should make things simpler, instead of adding millions and millions of lines of new code, that nobody can really check from the inside.
  4. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,508   +5,073

    I don't understand why http was not designed to be an extension of DNS security. It should have been DNS that was secured, not the extension of DNS.
  5. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 1,238   +691

    I like this idea. In fact, I don't think it goes far enough. The logical conclusion is to turn off the internet. It would probably be for the best.
  6. jobeard

    jobeard TS Ambassador Posts: 13,005   +1,557

    as discussed here.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...