Why GuardDuty keeps alerting my instance "Trojan:EC2/DGADomainRequest.B"

1

My instance only opens external access network traffic to certain specific ip and ports, but this alarm will still appear Findings: Malware scan Scan ID d954e9ec99318c5df6946cc3ece1db32

Scan status COMPLETED Start time 07-17-2023 04:55:02 End time 07-17-2023 05:51:23 Security status CLEAN

Resource affected Resource role TARGET Resource type Instance

Action Action type DNS_REQUEST

Protocol 0 Blocked false First seen 06-20-2023 15:23:43 (a month ago) Last seen 07-17-2023 03:39:28 (4 hours ago) Actor Domain xosryt3auex5wnz63gu7oxubehblp3lqzlbojcxnlwf4wqmvuwin2wqd.onion

Additional information Archived false

But the clone machine with the same disk, but in different regions does not have this problem,how can i solve this problem?

已提問 1 年前檢視次數 2519 次
1 個回答
2

Hi,

See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb

Trojan:EC2/DGADomainRequest.B
An EC2 instance is querying algorithmically generated domains. Such domains 
are commonly used by malware and could be an indication of a compromised EC2 instance.


DGAs are used to periodically generate a large number of domain names that can 
be used as rendezvous points with their command and control (C&C) servers. 
Command and control servers are computers that issue commands to members 
of a botnet, which is a collection of internet-connected devices that are infected 
and controlled by a common type of malware. The large number of potential 
rendezvous points makes it difficult to effectively shut down botnets because infected 
computers attempt to contact some of these domain names every day to receive updates 
or commands.

So, it happens only on one of your EC2 instances because the affected one makes those dangerous DNS requests while the other doesn't. Knowing your exact context will probably make you understand why.

You should analyze what those DNS queries are to prevent your EC2 instance from interacting with those rendezvous points, if they are really such botnet rendezvous points.

Remediation is detailled is https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2

Hope it helps

Didier

profile pictureAWS
專家
已回答 1 年前
profile pictureAWS
專家
已審閱 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南