[dns-operations] Caching nameservers as malware distribution mechanism

David Ulevitch david at opendns.com
Tue Mar 8 16:49:41 UTC 2011


On Mar 8, 2011, at 7:56 AM, Paul Hoffman wrote:

> On 3/8/11 2:46 AM, Roberto Navarro - TusProfesionales.es wrote:
>> It was disclosed past week at rootedcon (www.rootedcon.es):
>> 
>> http://www.slideshare.net/rootedcon/francisco-jess-gmez-carlos-juan-diaz-cloud-malware-distribution-dns-will-be-your-friend-rootedcon-2011
> 
> Could you explain a bit about how the malware would be activated? That is, the slides just seem to show how you can get zipped malware into DNS caches. How would a user who is tricked into retrieving those records actually have the malware unzipped and executed? What processes would do that?

The botnet malware they are already infected with. :-) They are really just talking about a different distribution mechanism since lots of AV systems hook into the HTTP stream already.

-David




More information about the dns-operations mailing list