Blog | G5 Cyber Security

Flame Trojan C&C Domains

G5 Cyber Security

TL;DR

This guide helps identify and block Command & Control (C&C) domains used by the Flame/Skywiper trojan. It covers domain lists, DNS analysis techniques, and blocking methods.

Identifying Flame C&C Domains

  1. Understand Domain Lists: Several sources maintain lists of known Flame-related domains. These are a good starting point. Some key resources include:
  • Historical DNS Data: Flame used a complex network of domains, many of which are no longer active. Examining historical DNS records can reveal previously used C&C servers.
    • Passive DNS Services: Use services like VirusTotal or SecurityTrails to query domain history.
    • Example using dig (Linux/macOS): 
      dig +trace flame-domain.com

      This shows the DNS resolution path over time, potentially revealing older servers.

  • Domain Registration Information: Look for patterns in domain registration data.
    • WHOIS Lookup: Use a WHOIS tool (e.g., https://whois.domaintools.com/) to check the registrant, creation date, and other details.
    • Flame operators often used privacy-protected registrations or fake contact information. Domains registered around the same time with similar patterns are suspicious.

    DNS Analysis Techniques

    1. Reverse DNS Lookups: Identify domains associated with specific IP addresses.
      • Use tools like host (Linux/macOS) or online reverse DNS lookup services.
      • Example using host: 
        host 192.0.2.1

        This will show the domain name(s) associated with that IP address, if any.

    2. DNS Zone Transfers (AXFR): Attempt to perform a zone transfer on potentially compromised DNS servers.
      • This is often disabled but can reveal all records for a domain.
      • Use dig with the AXFR option: 
        dig +trace flame-domain.com axfr

        (Requires permission and is rarely successful).

    3. DNS Record Types: Analyse different DNS record types (A, CNAME, MX, TXT) for anomalies.
      • Look for unusual CNAME records pointing to suspicious domains.
      • Check TXT records for potential malware-related strings or configuration data.

    Blocking Flame C&C Domains

    1. Firewall Rules: Add rules to your firewall to block communication with known and suspected C&C domains.
      • Most firewalls allow you to create rules based on domain names.
      • Example (iptables – Linux): 
        iptables -A OUTPUT -d flame-domain.com -j DROP

        (Replace ‘flame-domain.com’ with the actual domain).

    2. DNS Sinkholes: Redirect DNS queries for malicious domains to a sinkhole server.
      • This prevents infected machines from reaching the C&C servers.
      • Configure your DNS server (e.g., BIND, Unbound) to forward queries for blocked domains to the sinkhole IP address.
    3. Web Proxy Filters: Block access to malicious domains through your web proxy.
      • Most web proxies allow you to create blocklists based on domain names or URLs.
    4. Threat Intelligence Platform Integration: Integrate domain lists into your threat intelligence platform (TIP) for automated blocking and alerting.

    Important Considerations

    • Flame is an old trojan, but its techniques are still relevant.
    • C&C domains change frequently; keep your blocklists updated.
    • False positives can occur; carefully review any blocked traffic before implementing permanent blocks.
    • Combine domain blocking with other security measures (e.g., endpoint detection and response, intrusion prevention systems) for comprehensive protection against cyber security threats.
    • Exit mobile version