[dns-operations] Caching nameservers as malware distribution mechanism
Roy Arends
roy at dnss.ec
Tue Mar 8 12:24:04 UTC 2011
On Mar 8, 2011, at 10:46 AM, Roberto Navarro - TusProfesionales.es wrote:
> It was disclosed past week at rootedcon (www.rootedcon.es):
>
> http://www.slideshare.net/rootedcon/francisco-jess-gmez-carlos-juan-diaz-cloud-malware-distribution-dns-will-be-your-friend-rootedcon-2011
Cute, but old.
Encoding software (malware in their case) using CNAME chains has been done before. I did that in 2001:
dig decss.friet.org|perl -ne's/\.//;print pack("H124",$1)if(/^x([^\.]*)/)'
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
Roy
More information about the dns-operations
mailing list