Why GuardDuty keeps alerting my instance "Trojan:EC2/DGADomainRequest.B"

1

My instance only opens external access network traffic to certain specific ip and ports, but this alarm will still appear Findings: Malware scan Scan ID d954e9ec99318c5df6946cc3ece1db32

Scan status COMPLETED Start time 07-17-2023 04:55:02 End time 07-17-2023 05:51:23 Security status CLEAN

Resource affected Resource role TARGET Resource type Instance

Action Action type DNS_REQUEST

Protocol 0 Blocked false First seen 06-20-2023 15:23:43 (a month ago) Last seen 07-17-2023 03:39:28 (4 hours ago) Actor Domain xosryt3auex5wnz63gu7oxubehblp3lqzlbojcxnlwf4wqmvuwin2wqd.onion

Additional information Archived false

But the clone machine with the same disk, but in different regions does not have this problem,how can i solve this problem?

DD-Boom
asked a year ago2425 views
1 Answer
2

Hi,

See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb

Trojan:EC2/DGADomainRequest.B
An EC2 instance is querying algorithmically generated domains. Such domains 
are commonly used by malware and could be an indication of a compromised EC2 instance.


DGAs are used to periodically generate a large number of domain names that can 
be used as rendezvous points with their command and control (C&C) servers. 
Command and control servers are computers that issue commands to members 
of a botnet, which is a collection of internet-connected devices that are infected 
and controlled by a common type of malware. The large number of potential 
rendezvous points makes it difficult to effectively shut down botnets because infected 
computers attempt to contact some of these domain names every day to receive updates 
or commands.

So, it happens only on one of your EC2 instances because the affected one makes those dangerous DNS requests while the other doesn't. Knowing your exact context will probably make you understand why.

You should analyze what those DNS queries are to prevent your EC2 instance from interacting with those rendezvous points, if they are really such botnet rendezvous points.

Remediation is detailled is https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2

Hope it helps

Didier

profile pictureAWS
EXPERT
answered a year ago
profile pictureAWS
EXPERT
iBehr
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions