Fight Back Against Malware Using DNAT Rules

This is another post in my series about #InvisibleOpSec – things we can all do to improve business efficiency, security, and privacy through the lens of resilience with little or no cost and minimal effort.

While there is no perfect or single solution in the battle to protect our families, friends, and clients from malware, there are some things we can do behind-the-scenes. Using DNAT rules is one of them.

Mami malware
Image credit: Intego

The first malware for Macs in 2018 was MaMi, which did precisely this in combination with a spoofed certificate of authority or CA. Malware like it will evolve over time to add more complexity but one thing it does very well is hijack DNS. Criminals commonly achieve their goals by using malware to re-route DNS queries on compromised machines.  DNS is used to translate IP addresses into domain names like google.com or chase.com. When criminals successfully re-route DNS, they lead their unsuspecting victims to sites that are not legitimate but compelling imposters they control to do their bidding.

DNAT rules put in place on a router (or any device capable of using them) can help detect and prevent malware that attempts to re-route our DNS queries before it has a chance to use our own infrastructure against us. DNAT stands for Destination Network Address Translation. It’s versatile and useful for routing traffic according to specific rules. For example, a rule can be set to help us detect when malware tries to re-route our DNS requests from our LAN to the WAN (or Internet).

how traffic flows from our LAN to the WAN (the Internet)
Here’s a simply drawing I made to help illustrate.

I’ll do my best to try and explain in friendly terms: Imagine that DNS requests flow from our LAN (our private home or office network) to our WAN (our connection to the Internet that our ISP provides). It’s typical for malware, once successfully installed inside a network, to hijack DNS to communicate with external command and control servers and execute whatever other nasty list of deeds it’s designed for.

Here’s a use case scenario: suppose a device on a network gets infected with malware that then tries to write its own custom DNS configuration. Or here’s another, arguably even more common scenario: maybe someone (clever kids!) tries to set their DNS to something other than the preferred DNS servers to work around content filtering to watch something inappropriate. In either case, a DNAT rule will detect and then re-write the unsanctioned DNS server address(es) to the proper one(s), continuing to forward DNS queries to the proper servers. Worthwhile? You bet it is.

This functionality can also be extended, if necessary, to alert someone when the rule is triggered. This can be achieved using advanced tools, such as a low-cost enterprise solution for as little as $5 a month.

Using DNAT rules isn’t a silver bullet nor should it be considered the only solution to have in place on your home or office network, but it’s a key addition to a defense-in-depth strategy.

Defense in Depth in carsA layered approach or defense-in-depth, is just like in our cars. We don’t rely only on our rearview mirror or our seatbelt or sensors or our anti-lock brakes to keep us safe. We rely on a symphony of them all working together to minimize our risk of injury when something happens.

Defense in Depth - InfoSec

Protecting our privacy and security works the same way. Using methods like DNAT rules means having another valuable layer in place to reduce the likelihood of falling victim to the nasty world of malware flying around out there by raising the cost for criminals to work harder.

Leave a Reply

Your email address will not be published. Required fields are marked *