Tue. Nov 19th, 2019

Reseachers found Godlua, first malware that used DNS over HTTPS to hide network traffic

2 min read

In order to improve the security of the domain name resolution service, a solution called DNS over HTTPS (DoH for short) was introduced in the industry. However, the researchers at Network Security Research Lab have discovered the first malware that uses the DoH protocol, which is Godlua based on the Lua programming language. The name comes from the Lua codebase and the magic character God included in one of the seven sample source code.

The growth of HTTPS-based domain name resolution services has been strong. In October last year, the Internet Engineering Task Force officially released DoH ( RCF 8484 ). Although it is not a new concept, the first use of DoH malware still allows the industry to feel a new round of ups and downs in the future.

Netlab researchers mentioned in the report that they found a suspicious ELF file, but initially mistakenly thought it was just a cryptocurrency mining trojan. Although the cryptocurrency mining capabilities have not been confirmed or denied, they have proven to be more like distributed denial of service (DDoS) bot.

The researchers observed that the file would run as a “Lua-based back door” on the infected system and noticed at least one DDoS attack against liuxiaobei.com. To date, researchers have spotted at least two versions out in the wild, both using DNS over HTTPS instead of a traditional DNS request.

With DNS over HTTPS, malware can hide its DNS traffic through an encrypted HTTPS connection, allowing Godlua to bypass DNS monitoring, which is enough to shock network security experts.

It is reported that both Google and Mozilla have provided support for DoH, and the former even uses DoH as part of its public DNS service. In addition, Internet infrastructure service providers such as Cloudflare also provide support for DoH.

Via: TechSpot