malware analysis

Analyzing Network Covert Channels in Malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

c2-detectioncovert-channelsdata-exfiltrationdns-tunnelingicmp-exfiltrationmalware-analysisnetwork-forensics
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence.

When to Use

  • When investigating security incidents that require analyzing network covert channels in malware
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.9+ with scapy, dpkt, dnslib
  • Wireshark/tshark for PCAP analysis
  • Zeek (formerly Bro) for network monitoring
  • DNS query logging infrastructure
  • Understanding of DNS, ICMP, HTTP protocols at packet level

Workflow

Step 1: DNS Tunneling Detection

#!/usr/bin/env python3
"""Detect DNS tunneling and covert channels in network traffic."""
import sys
import json
import math
from collections import Counter, defaultdict
 
try:
    from scapy.all import rdpcap, DNS, DNSQR, DNSRR, IP, ICMP
except ImportError:
    print("pip install scapy")
    sys.exit(1)
 
 
def entropy(data):
    if not data:
        return 0
    freq = Counter(data)
    length = len(data)
    return -sum((c/length) * math.log2(c/length) for c in freq.values())
 
 
def analyze_dns_tunneling(pcap_path):
    """Detect DNS tunneling indicators in PCAP."""
    packets = rdpcap(pcap_path)
    domain_stats = defaultdict(lambda: {
        "queries": 0, "total_qname_len": 0, "subdomain_lengths": [],
        "query_types": Counter(), "unique_subdomains": set(),
    })
 
    for pkt in packets:
        if pkt.haslayer(DNS) and pkt.haslayer(DNSQR):
            qname = pkt[DNSQR].qname.decode('utf-8', errors='replace').rstrip('.')
            qtype = pkt[DNSQR].qtype
 
            parts = qname.split('.')
            if len(parts) >= 3:
                base_domain = '.'.join(parts[-2:])
                subdomain = '.'.join(parts[:-2])
 
                stats = domain_stats[base_domain]
                stats["queries"] += 1
                stats["total_qname_len"] += len(qname)
                stats["subdomain_lengths"].append(len(subdomain))
                stats["query_types"][qtype] += 1
                stats["unique_subdomains"].add(subdomain)
 
    # Score domains for tunneling indicators
    suspicious = []
    for domain, stats in domain_stats.items():
        if stats["queries"] < 5:
            continue
 
        avg_subdomain_len = (sum(stats["subdomain_lengths"]) /
                             len(stats["subdomain_lengths"]))
        unique_ratio = len(stats["unique_subdomains"]) / stats["queries"]
 
        # Calculate subdomain entropy
        all_subdomains = ''.join(stats["unique_subdomains"])
        sub_entropy = entropy(all_subdomains)
 
        score = 0
        reasons = []
 
        if avg_subdomain_len > 30:
            score += 30
            reasons.append(f"Long subdomains (avg {avg_subdomain_len:.0f} chars)")
        if unique_ratio > 0.9:
            score += 25
            reasons.append(f"High uniqueness ({unique_ratio:.2%})")
        if sub_entropy > 4.0:
            score += 25
            reasons.append(f"High entropy ({sub_entropy:.2f})")
        if stats["query_types"].get(16, 0) > 10:  # TXT records
            score += 20
            reasons.append(f"Many TXT queries ({stats['query_types'][16]})")
 
        if score >= 50:
            suspicious.append({
                "domain": domain,
                "score": score,
                "queries": stats["queries"],
                "avg_subdomain_length": round(avg_subdomain_len, 1),
                "unique_subdomains": len(stats["unique_subdomains"]),
                "subdomain_entropy": round(sub_entropy, 2),
                "reasons": reasons,
            })
 
    return sorted(suspicious, key=lambda x: -x["score"])
 
 
def analyze_icmp_tunneling(pcap_path):
    """Detect ICMP tunneling in PCAP."""
    packets = rdpcap(pcap_path)
    icmp_stats = defaultdict(lambda: {"count": 0, "payload_sizes": [], "payloads": []})
 
    for pkt in packets:
        if pkt.haslayer(ICMP) and pkt.haslayer(IP):
            src = pkt[IP].src
            dst = pkt[IP].dst
            key = f"{src}->{dst}"
 
            payload = bytes(pkt[ICMP].payload)
            icmp_stats[key]["count"] += 1
            icmp_stats[key]["payload_sizes"].append(len(payload))
            if len(payload) > 64:
                icmp_stats[key]["payloads"].append(payload[:100])
 
    suspicious = []
    for flow, stats in icmp_stats.items():
        if stats["count"] < 5:
            continue
        avg_size = sum(stats["payload_sizes"]) / len(stats["payload_sizes"])
        if avg_size > 64 or stats["count"] > 100:
            suspicious.append({
                "flow": flow,
                "packets": stats["count"],
                "avg_payload_size": round(avg_size, 1),
                "reason": "Large/frequent ICMP payloads suggest tunneling",
            })
 
    return suspicious
 
 
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <pcap_file>")
        sys.exit(1)
 
    print("[+] DNS Tunneling Analysis")
    dns_results = analyze_dns_tunneling(sys.argv[1])
    for r in dns_results:
        print(f"  {r['domain']} (score: {r['score']})")
        for reason in r['reasons']:
            print(f"    - {reason}")
 
    print("\n[+] ICMP Tunneling Analysis")
    icmp_results = analyze_icmp_tunneling(sys.argv[1])
    for r in icmp_results:
        print(f"  {r['flow']}: {r['reason']}")

Validation Criteria

  • DNS tunneling detected via entropy, subdomain length, and query volume analysis
  • ICMP covert channels identified through payload size anomalies
  • Tunneling domains distinguished from legitimate CDN/cloud traffic
  • Data exfiltration volume estimated from captured traffic
  • C2 communication patterns and beaconing intervals extracted

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.5 KB

API Reference: Network Covert Channel Detection

Scapy - Packet Analysis

DNS Tunneling Detection

from scapy.all import rdpcap, DNS, DNSQR, IP
 
packets = rdpcap("capture.pcap")
for pkt in packets:
    if pkt.haslayer(DNSQR):
        qname = pkt[DNSQR].qname.decode().rstrip(".")
        src = pkt[IP].src
        qtype = pkt[DNSQR].qtype  # 1=A, 16=TXT, 28=AAAA

ICMP Payload Extraction

from scapy.all import ICMP, Raw
 
for pkt in packets:
    if pkt.haslayer(ICMP) and pkt.haslayer(Raw):
        payload = bytes(pkt[Raw].load)
        icmp_type = pkt[ICMP].type  # 8=echo-request, 0=echo-reply

Zeek - Covert Channel Detection

DNS Tunneling Indicators

@load base/protocols/dns
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count) {
    if (|query| > 60)
        print fmt("Long DNS query: %s from %s", query, c$id$orig_h);
}

Configuration

zeek -r capture.pcap local
# Outputs: dns.log, conn.log, weird.log

tshark - Protocol Filtering

DNS Analysis

tshark -r capture.pcap -Y "dns" -T fields \
  -e ip.src -e dns.qry.name -e dns.qry.type -e frame.len
 
# Filter long DNS queries
tshark -r capture.pcap -Y "dns.qry.name matches \"^.{60,}\"" -T fields -e dns.qry.name

ICMP Payload Analysis

tshark -r capture.pcap -Y "icmp && data.len > 64" -T fields \
  -e ip.src -e ip.dst -e icmp.type -e data.len -e data.data

DNS Tunneling Tools

Tool Technique Detection Method
iodine TXT/NULL/CNAME records High entropy subdomains
dns2tcp TXT records Encoded query names
dnscat2 TXT/CNAME/MX/A records Base32/Base64 subdomain patterns
DNSExfiltrator TXT records High query volume to single domain

Entropy Thresholds

Range Interpretation
< 2.0 Normal domain labels (English words)
2.0-3.5 Possibly encoded but may be legitimate
3.5-5.0 Likely Base32/Base64 encoded (tunneling)
> 5.0 Encrypted/random data (strong tunneling indicator)

Covert Channel Categories

Channel Type Protocol Detection Method
DNS Tunneling DNS (53/udp) Subdomain entropy, query volume
ICMP Tunnel ICMP (type 8/0) Payload size, entropy, volume
HTTP Header HTTP (80/tcp) Cookie size, custom header entropy
Protocol Abuse IP options, GRE Unusual protocol numbers
Timing Channel TCP Inter-packet timing analysis
standards.md0.3 KB

Standards Reference - analyzing-network-covert-channels-in-malware

Applicable Standards

  • MITRE ATT&CK Framework
  • NIST SP 800-83 Guide to Malware Incident Prevention
  • NIST SP 800-86 Guide to Integrating Forensic Techniques

Related MITRE ATT&CK Techniques

See SKILL.md for specific technique mappings.

workflows.md0.5 KB

Analysis Workflows - analyzing-network-covert-channels-in-malware

Primary Workflow

[Sample Collection] --> [Static Analysis] --> [Dynamic Analysis] --> [IOC Extraction]
                                                                          |
                                                                          v
                                                                 [Report Generation]

See SKILL.md for detailed step-by-step procedures.

Scripts 1

agent.py7.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Network covert channel detection agent for malware traffic analysis.

Detects DNS tunneling, ICMP covert channels, HTTP header steganography,
and protocol abuse in PCAP captures using scapy.
"""

import os
import sys
import json
import math
from collections import Counter, defaultdict

try:
    from scapy.all import rdpcap, DNS, DNSQR, ICMP, IP, TCP, Raw
    HAS_SCAPY = True
except ImportError:
    HAS_SCAPY = False


def shannon_entropy(data):
    """Calculate Shannon entropy of byte data."""
    if not data:
        return 0.0
    freq = Counter(data)
    length = len(data)
    return -sum((c / length) * math.log2(c / length) for c in freq.values())


def detect_dns_tunneling(packets, entropy_threshold=3.5, length_threshold=50):
    """Detect DNS tunneling by analyzing query name entropy and length."""
    findings = []
    dns_queries = defaultdict(list)
    for pkt in packets:
        if pkt.haslayer(DNSQR):
            qname = pkt[DNSQR].qname.decode("utf-8", errors="replace").rstrip(".")
            src = pkt[IP].src if pkt.haslayer(IP) else "?"
            labels = qname.split(".")
            subdomain = ".".join(labels[:-2]) if len(labels) > 2 else qname
            entropy = shannon_entropy(subdomain.encode())
            base_domain = ".".join(labels[-2:]) if len(labels) >= 2 else qname
            dns_queries[base_domain].append({
                "query": qname, "src": src, "entropy": round(entropy, 3),
                "subdomain_len": len(subdomain),
            })
            if entropy > entropy_threshold and len(subdomain) > length_threshold:
                findings.append({
                    "type": "dns_tunneling", "query": qname, "src": src,
                    "entropy": round(entropy, 3),
                    "subdomain_length": len(subdomain), "severity": "HIGH",
                })
    volume_findings = []
    for domain, queries in dns_queries.items():
        if len(queries) > 100:
            avg_entropy = sum(q["entropy"] for q in queries) / len(queries)
            if avg_entropy > 3.0:
                volume_findings.append({
                    "type": "dns_high_volume", "domain": domain,
                    "query_count": len(queries),
                    "avg_entropy": round(avg_entropy, 3), "severity": "HIGH",
                })
    return findings[:50], volume_findings


def detect_icmp_covert_channel(packets, payload_threshold=64):
    """Detect ICMP covert channels via payload analysis."""
    findings = []
    icmp_flows = defaultdict(list)
    for pkt in packets:
        if pkt.haslayer(ICMP) and pkt.haslayer(Raw):
            payload = bytes(pkt[Raw].load)
            src = pkt[IP].src if pkt.haslayer(IP) else "?"
            dst = pkt[IP].dst if pkt.haslayer(IP) else "?"
            entropy = shannon_entropy(payload)
            flow_key = f"{src}->{dst}"
            icmp_flows[flow_key].append(payload)
            if len(payload) > payload_threshold and entropy > 5.0:
                findings.append({
                    "type": "icmp_covert", "src": src, "dst": dst,
                    "icmp_type": pkt[ICMP].type,
                    "payload_size": len(payload),
                    "entropy": round(entropy, 3), "severity": "HIGH",
                })
    for flow, payloads in icmp_flows.items():
        total_bytes = sum(len(p) for p in payloads)
        if total_bytes > 10000:
            findings.append({
                "type": "icmp_exfiltration", "flow": flow,
                "total_bytes": total_bytes,
                "packet_count": len(payloads), "severity": "HIGH",
            })
    return findings[:50]


def detect_http_header_covert(packets):
    """Detect covert data in HTTP headers."""
    findings = []
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            try:
                payload = bytes(pkt[Raw].load).decode("utf-8", errors="replace")
            except Exception:
                continue
            if not payload.startswith(("GET ", "POST ", "HTTP/")):
                continue
            for line in payload.split("\r\n"):
                if ":" not in line:
                    continue
                header, _, value = line.partition(":")
                value = value.strip()
                if header.lower() == "cookie" and len(value) > 500:
                    entropy = shannon_entropy(value.encode())
                    if entropy > 4.5:
                        findings.append({
                            "type": "http_cookie_exfil", "header": header,
                            "value_length": len(value),
                            "entropy": round(entropy, 3), "severity": "MEDIUM",
                        })
                if header.lower().startswith("x-") and len(value) > 100:
                    entropy = shannon_entropy(value.encode())
                    if entropy > 4.0:
                        findings.append({
                            "type": "http_custom_header", "header": header,
                            "value_length": len(value),
                            "entropy": round(entropy, 3), "severity": "MEDIUM",
                        })
    return findings[:50]


def detect_protocol_anomalies(packets):
    """Detect protocol-level anomalies indicating covert communication."""
    findings = []
    for pkt in packets:
        if pkt.haslayer(IP):
            proto = pkt[IP].proto
            if proto not in (1, 6, 17, 47, 50, 51):
                findings.append({
                    "type": "unusual_ip_proto", "protocol": proto,
                    "src": pkt[IP].src, "dst": pkt[IP].dst, "severity": "MEDIUM",
                })
    return findings[:50]


def generate_report(pcap_path, dns_f, dns_v, icmp_f, http_f, proto_f):
    """Generate covert channel analysis report."""
    total = len(dns_f) + len(icmp_f) + len(http_f) + len(proto_f)
    return {
        "pcap_file": pcap_path, "total_findings": total,
        "dns_tunneling": {"count": len(dns_f), "findings": dns_f[:10]},
        "dns_volume_anomalies": dns_v[:10],
        "icmp_covert": {"count": len(icmp_f), "findings": icmp_f[:10]},
        "http_header_covert": {"count": len(http_f), "findings": http_f[:10]},
        "protocol_anomalies": {"count": len(proto_f), "findings": proto_f[:10]},
        "risk_level": "HIGH" if total > 10 else "MEDIUM" if total > 3 else "LOW",
    }


if __name__ == "__main__":
    print("=" * 60)
    print("Network Covert Channel Detection Agent")
    print("DNS tunneling, ICMP covert, HTTP header, protocol abuse")
    print("=" * 60)

    pcap = sys.argv[1] if len(sys.argv) > 1 else None
    if not pcap or not os.path.exists(pcap):
        print("\n[DEMO] Usage: python agent.py <capture.pcap>")
        print(f"  scapy available: {HAS_SCAPY}")
        sys.exit(0)
    if not HAS_SCAPY:
        print("[!] Install scapy: pip install scapy")
        sys.exit(1)

    print(f"\n[*] Loading: {pcap}")
    packets = rdpcap(pcap)
    print(f"[*] Packets: {len(packets)}")

    dns_f, dns_v = detect_dns_tunneling(packets)
    icmp_f = detect_icmp_covert_channel(packets)
    http_f = detect_http_header_covert(packets)
    proto_f = detect_protocol_anomalies(packets)
    report = generate_report(pcap, dns_f, dns_v, icmp_f, http_f, proto_f)

    print(f"\n--- DNS Tunneling ({len(dns_f)}) ---")
    for f in dns_f[:5]:
        print(f"  {f['src']} | entropy={f['entropy']} | {f['query'][:60]}")
    print(f"\n--- ICMP Covert ({len(icmp_f)}) ---")
    for f in icmp_f[:5]:
        print(f"  {f.get('flow', f.get('src','?'))} | {f.get('payload_size', f.get('total_bytes','?'))}B")
    print(f"\n[*] Risk: {report['risk_level']}")
    print(json.dumps(report, indent=2, default=str))

Assets 1

template.mdtext/markdown · 0.4 KB
Keep exploring