Hackers Exploit a Blind Spot By Hiding Malware Inside DNS Records (arstechnica.com) 49
Hackers are hiding malware inside DNS records, allowing malicious code to bypass security defenses that typically monitor web and email traffic. DomainTools researchers discovered the technique being used to host Joke Screenmate malware, with binary files converted to hexadecimal format and broken into chunks stored in TXT records across subdomains of whitetreecollective[.]com.
Attackers retrieve the chunks through DNS requests and reassemble them into executable malware. The method exploits a blind spot in security monitoring, as DNS traffic often goes unscrutinized compared to other network activity.
Attackers retrieve the chunks through DNS requests and reassemble them into executable malware. The method exploits a blind spot in security monitoring, as DNS traffic often goes unscrutinized compared to other network activity.
2004 called (Score:5, Funny)
Excuse me 2004 is on the line, and is wondering when 2025 plans to return its favorite side channel communications mechanism.
Re: (Score:2)
Excuse me 2004 is on the line, and is wondering when 2025 plans to return its favorite side channel communications mechanism.
For the type they're talking about (hiding malware in hexadecimal format within the DNS records) is relatively new (I see some reference to it in 2017). The method that's been around forever has been hijacking your DNS records to redirect traffic from known "safe" sites, to their malware based copy.
Re: (Score:2)
I think he is referring to vpn like and/or other type of channels which implement communication over dns and yes it's been around for quite a while.
Re: 2004 called (Score:1)
it's totally harmless unless your machine is already compromised and has malware assembling dns request TXT records into executables.
but that's not how the chicken littles of the security craze fad will squawk about it.
Re: (Score:2)
it's totally harmless unless your machine is already compromised and has malware assembling dns request TXT records into executables.
but that's not how the chicken littles of the security craze fad will squawk about it.
Very true. I was just noting the difference between the "older" DNS exploits and the "newer" ones. Both do require an internal compromise of your systems to be harmful, their methods are just different.
Re: (Score:2)
Using vpn over dns or communicate over dns doesn't need anything to be compromised. See link below:
https://github.com/AlexandreFe... [github.com]
One would typically use it in a corporate environment to connect somewhere he can't otherwise at the risk of getting in trouble if he is discovered.
Re: (Score:2)
Using vpn over dns or communicate over dns doesn't need anything to be compromised. See link below: https://github.com/AlexandreFe... [github.com]
One would typically use it in a corporate environment to connect somewhere he can't otherwise at the risk of getting in trouble if he is discovered.
Heh, where I work, allowing someone to use a non-business related VPN is the compromising the environment. I suppose I'd also consider my ISP getting their infrastructure compromised counting as well (if we actually used their DNS...).
Re: (Score:2)
My point was that you seem to be confusing DNS exploits with using DNS to communicate and exchange information, typically with TXT records as it is done for all kind of purposes.
Re: (Score:1)
so what does that have to do with bits of malware as TXT records? Nothing, that's what
Re: (Score:2)
Yes i was thinking of VPN over DNS and things of that nature.
I agree this is 'different' but the concept of using DNS infrastructure as a C&C channel or payload distribution mechanism is old. Threat actors have been ab-using DNS now for a long time, DNS should not be a 'Blind Spot' in the world of monitoring and detection.
Re: (Score:2)
Re: (Score:1)
no.
nothing will be executed.
unless, you're compromised.
chunked hex (Score:2)
Because protection mechanisms for HTTPS are on the lookout for code broken into chunks and sent in hexidecimal while the DNS protections are not. Sure. Pull the other one.
Re: chunked hex (Score:1)
this TXT record thing is harmless unless your machine is already compromised. TXT records don't get assembled into binaries and executed unless you've already completely and utterly lost the security battle
Re: (Score:2)
Because protection mechanisms for HTTPS are on the lookout for code broken into chunks and sent in hexidecimal while the DNS protections are not. Sure. Pull the other one.
Servers on internal networks often do have outbound access to the internet denied by default, all port and protocols by a central firewall. DNS works differently, you send requests to a local server which forwards to an internet facing one.
Re: (Score:1)
Don't allow arbitrary execution (Score:5, Insightful)
There are hundreds of ways to get code onto a computer. The trick is to not allow it to execute.
Re: (Score:2)
Re: (Score:3)
Nor the sharpest bulbs?
Re: Don't allow arbitrary execution (Score:2)
Re: (Score:1)
Try dropping a few rigged USB sticks in the parking lot at work, see what happens.
Re: (Score:2)
You start ONE little exploit, and suddenly you're the bad guy....
I am a bird (Score:1)
I am a bird and am free to sing beautiful birdsongs.
Re: I am a bird (Score:1)
Re: (Score:2)
I am a crow and my ancestors have sung to me about the asshole farmers here that will try to spray u with BB's and eat u or wrap u in plastic.
Do people really eat crow? I thought it was just a figure of speech...
Re: (Score:2)
I looked it up, and Internet says "Historically, parts of East Asia, including China and South Korea"; "Some specific communities in Pacific Island cultures"; "Some Native American tribes." https://birdsnews.com/is-crow-... [birdsnews.com]
Re: (Score:2)
Re: (Score:2)
And whenever something is described as a "delicacy" translate in your head to "someone was at one time desperate enough to eat this".
Re: (Score:2)
So, the trick is to embed (RNA?) malware in the crow so that the chinese gourmet farmer once infected suddenly codes a DNS TXT records retriever program in order to reassemble the original malware.
That's a bit contrived, hacking used to be simpler...But well, it it's what it takes to take down a (singing at that !!) free bird I suppose it's worth the effort.
I suppose it's an interesting concept (Score:4, Informative)
However, as the article points out - the attacker has to already have gotten operational software onto your system for this to be useful to them. If they're pulling pieces that aren't, in themselves, harmful... antivirus isn't going to flag the traffic regardless. Which is an approach we've known about for some time.
Re: (Score:2)
I don't know about yours, but my DNS filters pretty much just look at A records.
Re: (Score:2)
It's relying on LLMs being able to search the internet for things. It goes somethign like this:
LLM searches for something, ends up on a site.
Site has multiple links embedded in it with said DNS payloads.
DNS lookup occurs.
LLM 'reads' said payload.
Why is this a blind spot? (Score:4, Informative)
Re: (Score:2)
The real malware is the code that is performing the DNS queries and assembling the results into other malware.
So: host, nslookup, dig, dnsip, and related tools are malware now? Including libresolv, and equivalents in Rust and Go? Also the Python standard modules, of course?
Re: (Score:2)
The script that combines these to retrieve and execute malware is.
Re: (Score:2)
Yeah, but until someone notices, identifies it, and adds a signature for it, there's no indication that what it's doing is worse than legitimate tools =/
Re: (Score:2)
host, nslookup, dig, dnsip, and related tools are malware now?
The script that combines these to retrieve and execute malware is.
Ah. So cat is the malware.
Re: (Score:2)
That's what I'm wondering.
How is this any different from using FTP to download malware, and then execute it?
Nothing in a DNS client is going to execute what is stored in a TXT record by itself. Nothing in any DNS client is going to unzip / un-base64 it, mark it executable, and run it without someone being there to do that, or some script being written to do it that is being executed with the requisite permissions, so this is no different than any other file transfer medium other than being obfuscated in a
Meh (Score:2)
It's not like your computer is assembling TXT records into binaries on its own. The malware is already on the device, the TXT records are only additional data.
Re: (Score:2)
Windows 11 discovered to be doing this by default as a "feature" in 3, 2, 1...
Re: (Score:2)
Re: (Score:1)
Hex is just hex until you chmod it -x.
I've got the DeCSS T-shirt, but it can't execute the code printed on it. At least, I don't think so, I've never thought of waving it in the general direction of a DVD to find out...
Re: (Score:2)
It's very critical additional data, though. The idea is the basic malware doesn't have anything truly alarming in it, so it's easier to obfuscate it to slip by the filters. Once it's running, it can download the really dangerous stuff via TXT records, which won't be checked for alarming/dangerous content, and set that up behind the filters without triggering them. It does all that in memory, without giving any indication of touching files, and then once the code's gotten root access it can persist things to
Abuse of TXT records (Score:2)
This is compounded by the (ab)use of TXT records to store arbitrary records without needing to extend the set of DNS record types. Having explicit types of DNS records improves syntax filtering, making it difficult to impossible to abuse those records this way. Limiting TXT records to only their original purpose (instead of putting SPF, DMARC, DKIM and other types inside them) would allow heavy-handed filtering of attempts to pass arbitrary data in large quantities through TXT records without impacting any
This technique is +30 years old (Score:2)
I recall someone hacking the Dutch Greenpoint phones by sending all traffic over a DNS server in 1992.