DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points.

This course is focused on the forensic analysis of malware delivered by DNS, in the structure of this type of cyber attack. The forensic study of DNS attacks grows annually. But the most important thing is that many attackers do not know how DNS works. And yet there are failures in services that seem to be the main permissive causes of these attacks. Our intention is to verify if these attacks have some form of pattern. Learning about malware attacks in DNS services helps us understand how malware is being created so that redirection of traffic and sites is almost imperceptible.

Course benefits: 

Note: since this class was published in 2019, some DNS technology has advanced and new attacks have surfaced. These materials have not been updated. 

You will learn about:

  • How malware is delivered by DNS
  • How the attack can mitigate traces
  • Vulnerabilities of C2 servers.

The skills the course offers students are:

  • Traffic analysis
  • DNS security framework
  • Static forensics analysis of malware and ransomware (network malware)
  • The use of dedicated malware flow analysis tools (mentioned down below). Tools like apateDNS and tools inside FLARE-VM are used for flow analysis or dynamic analysis. We are talking about ransomware.
  • Network traffic will be analyzed with Wireshark
  • You will learn how to configure your virtual lab and test the attack modalities. The course will provide all instructions to use the tools

Tools you will use:

  • Sans SIFt Workstation (SSW),
  • Kali Linux (2018.4 or above),
  • ApateDNS (1.0 or above),
  • FakeNet-NG, Flare VM (1.0 or above),
  • Virtualbox/VMware,
  • Windows 7/10 virtual machines,
  • Wireshark,
  • IOC FireEye tools.

Course general information: 

Course format:

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

You will need to mount a virtual network containing:

  • Windows 7 (or 10) virtual machine to mount the FLARE-VM lab and run the above tools
  • Kali Linux and Sans Sift Workstation
  • Debian server

You will learn how to configure this network to DNS attack

The skills required for this course are:

  • programming,
  • reverse engineering
  • understanding of the DNS protocol.

In this case, you will need know how functions work in a program flow, understand how memory share is used by malware and how network traffic is in a normal situation and a normal state.

The programming language used is Python.

Your instructor: Paulo Henrique Pereira
I was born in São Paulo, the big, boring and bestial industrial city of my country, Brazil. I obtained my PhD at São Paulo University (USP) in analytical induction, a math, logic, statistical and philosophic area. I never work in this area...but, one day, walking on a Sunday morning, I discovered that I could use my statistical skills to analyze malware behavior, like a math model. So, I invested my time in this area since 1989. Nowadays, I teach forensics at the University Nove de Julho (UNINOVE) and I work with forensic analysis and malware analysis (reverse engineering of malware) as a free consultant. To escape from reality, in my spare time, I go to some place to practice fly fishing in the rivers that cut through the mountains and I keep going to programming in C and Python my own pieces of software.


Course introduction:

The basic concepts that will be addressed before the course include: DDoS attacks, CnC (or C2) servers, malware vectors and malware propagation. The student needs to understand these concepts before start the course.

Module 1: The DNS attack

In this module, a DNS pharming attack will be performed so that the format of the attack, its target and the network traffic that will be captured with Wireshark are understood. We will use Sans Sift Workstation and Kali Linux to perform forensic analysis of the attack through captured traffic. For this purpose, a website will be created that will serve as the target address. Understanding the types of DNS attacks (attacks that have different variations) can be more easily understood through the use of a target as an example, in which case a site can be very timely for learning.

Module 1 covered topics:

  • DNS spoofing,
  • Forensic packet analysis using Sans SIFt Workstation (SSW), Kali Linux (2018.4 or above), ApateDNS (1.0 or above), FakeNet-NG, Flare VM (1.0 or above), and Wireshark.

Module 1 exercises: All exercises in this module exploit the spoofing of DNS cache running against FLARE-VM.

Module 2: Propagation of malware using DNS

In this module will be approached the ways of propagating malware through the DNS services, that is, from the exploitation of the databases and redirection. In this mode of exploitation, the packers stand out. Packers are encryption modules that obfuscate the code of a malware and are used for attacks of rote traffic, for example.

Module 2 covered topics:

  • DNS service under attack,
  • Static malware analysis using tools inside FLARE-VM (in this case we will use OllyDbg)

Module 2 Exercises:

All exercises in this module exploit the DNS-based attack (e.g. DNS-based attacks have two central forms, namely pharm and phishing), especially local and remote, the configured forms used by malware/ransomware (backdoors and trojans) to exploit vulnerabilities in DNS servers. The main focus is the forensics analysis (using Sans SIFt Workstation (SSW), Kali Linux (2018.4 or above), ApateDNS (1.0 or above), FakeNet-NG, Flare VM (1.0 or above) and Wireshark) of the evidence (of the attack).

Module 3: IOC Laboratory

In this module, the FLARE-VM virtual machine will be explored to construct forensics indicators of compromise  (IOC) using FireEye IOC tools (Editor and Find tools), evaluating artifacts (in this case, the references of changes in traffic redirection, e.g., the packets) loaded by malware that mitigate target defense. FLARE-VM is prepared for static analysis. FLARE-VM can scan malware samples (such as trojans) and, with the help of Wireshark, we can collect more evidence of DNS attack.

Module 3 covered topics:

Malware mitigation artifacts (DNS attacks could easily be captured when a company is well prepared for cybercrime, its employees are aware of network traffic (both internal and external). However, this reality is difficult in most companies. On the contrary, what we usually find is the lack of preparation for emergency situations. This becomes more complex when a malware (eg, a trojan) can hide in the network or a computer in that network that maintains regular communication with other machines in the company), downfalls of security solutions and IOC.

Module 3 exercises: All exercises in this module exploit the forensics analysis of malware component artifacts.

Module 4: Attack against IaaS service

This module examines the forensic aspects of data protection in the cloud and the importance of DNS security. Modes of attacks on DNS services vary widely, as is known. We can have a massive attack, which assembles several machines by sending a continuous stream of packets to a server or, on the contrary, the attack can be individual, isolated, that brings together few machines and changes the DNS service cache. However, regardless of attack mode, there is a form of delivery and obfuscation (mitigation) that is done by botnets and can become a more widespread attack on DNS services. The module itself is not concerned with the cloud storage format, nor with the types of services sold by specialized companies. The module focuses on a central question for our purposes: how to conduct a forensic investigation considering an expanded botnet attack on DNS services in the IaaS cloud? This module is focused in the analysis of the packets captured from botnet attack.

Module 4 covered topics:

  • IaaS attacks,
  • botnet activity,
  • DNS security,
  • packet sample forensic analysis,
  • obfuscation methods

Module 4 exercises:

All exercises in this module seek to explore forensic data analysis in the botnet attack and the mitigation performed by attackers.

Final exam: MCQ Exam


If you have any questions, please contact us at [email protected].

Course Reviews


1 ratings
  • 5 stars1
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0
  1. Excellent Course


    Dr. Paulo Henrique’s course on DNS Malware Analysis does an excellent job of walking through each step, from setting up the environment to looking for IOCs and collecting evidence. This is a worthwhile course for anyone interested in DNS malware analysis.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023