1 Answer
- Newest
- Most votes
- Most comments
2
Hi,
Trojan:EC2/DGADomainRequest.B
An EC2 instance is querying algorithmically generated domains. Such domains
are commonly used by malware and could be an indication of a compromised EC2 instance.
DGAs are used to periodically generate a large number of domain names that can
be used as rendezvous points with their command and control (C&C) servers.
Command and control servers are computers that issue commands to members
of a botnet, which is a collection of internet-connected devices that are infected
and controlled by a common type of malware. The large number of potential
rendezvous points makes it difficult to effectively shut down botnets because infected
computers attempt to contact some of these domain names every day to receive updates
or commands.
So, it happens only on one of your EC2 instances because the affected one makes those dangerous DNS requests while the other doesn't. Knowing your exact context will probably make you understand why.
You should analyze what those DNS queries are to prevent your EC2 instance from interacting with those rendezvous points, if they are really such botnet rendezvous points.
Remediation is detailled is https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2
Hope it helps
Didier
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago