Posted by Martijn Grooten on Apr 24, 2019
The use of DNS as a covert C&C communication channel has been widely documented and is fairly prevalent in the wild. Last week, Palo Alto Networks analysed its use in the various tools of Iran's OilRig (APT34) group.
But DNS is not unique in this. As long ago as 2006, ICMP packets were being used in a trojan to exfiltrate data.
Another protocol that opens up the ability for C&C communication is NTP, the protocol used for clock synchronization.
Today, we publish a paper by researcher Nikolaos Tsapakis who looked at the possibilities of NTP packets carrying data and what can be done to detect this use of NTP.