[dns-operations] Caching nameservers as malware distribution mechanism

Roy Arends roy at dnss.ec
Tue Mar 8 12:24:04 UTC 2011


On Mar 8, 2011, at 10:46 AM, Roberto Navarro - TusProfesionales.es wrote:

> It was disclosed past week at rootedcon (www.rootedcon.es):
> 
> http://www.slideshare.net/rootedcon/francisco-jess-gmez-carlos-juan-diaz-cloud-malware-distribution-dns-will-be-your-friend-rootedcon-2011

Cute, but old.

Encoding software (malware in their case) using CNAME chains has been done before. I did that in 2001:

dig decss.friet.org|perl -ne's/\.//;print pack("H124",$1)if(/^x([^\.]*)/)'

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>     */
/*       Represented as 1045 digit prime number by Phil Carmody       */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers      */
/*                                                                    */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob      */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key  */



Roy





More information about the dns-operations mailing list