Malware authors have devised many ingenious methods of protecting the identity of their Command and Control (C2) servers. One common method is to use DNS as a layer of indirection that protects the IP address of C2 servers. A recent malware trend has emerged in which a botnet or Advanced Persistent Threat (APT) uses a fully qualified domain name (FQDN) and registers it with DNS public resolvers, but with a short time to live (TTL) so that its bots must continually poll a public DNS resolver to obtain the identity of the C2 server. Since the C2 server rarely needs to send any commands, this technique sets the FQDN to resolve to localhost, which causes all bots to send their C2 traffic back to themselves, suppressing traffic that would otherwise be susceptible to analysis by security devices attached to the network. When the C2 server awakes, the domain name entry is changed to the C2 server's IP address, and once C2 commands have been successfully communicated, the C2 server goes back to sleep and the DNS entry is set to localhost once more.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current data security technologies.