Emulating Zeus DNS Traffic to Test the Defenses
Via rapid7 I have found a nice post that uses Metasploit to test how our defenses react when a host is infected with the Zeus trojan.
In a nutshell, the author uses the module auxiliary/vsploit/dns/dns_beacon to resolve a list of DNS domain names listed in the Abuse.ch’s Zeus Tracker. Since these domain names are known to spread malware, our defenses should react and report the incident.
Please, note the difference between resolving the DNS name and connecting to the server to fetch the malware. I might be wrong, but many IDS/IPS systems only flag the connections to the C&C and the dropper, like the Emerging Threats Signatures.
The IDS/IPS should inspect the DNS traffic in order to flag our tests. The other option is to setup a DNS Sinkhole that redirects these requests, in conjunction with an IDS rule that flags this redirection.