[dns-operations] Caching nameservers as malware distribution mechanism
roy at dnss.ec
Tue Mar 8 12:24:04 UTC 2011
On Mar 8, 2011, at 10:46 AM, Roberto Navarro - TusProfesionales.es wrote:
> It was disclosed past week at rootedcon (www.rootedcon.es):
Cute, but old.
Encoding software (malware in their case) using CNAME chains has been done before. I did that in 2001:
dig decss.friet.org|perl -ne's/\.//;print pack("H124",$1)if(/^x([^\.]*)/)'
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
More information about the dns-operations