nixCraft 🐧

Attackers exploit a blind spot by hiding malware inside DNS records. This technique transforms the Internet DNS into an unconventional file storage system and distributes malware using dns records. Be careful and safe out there 😱 Almost nobody filters DNS. Another security nightmare.

Read more: Malware in DNS
https://dti.domaintools.com/malware-in-dns/

Malware in DNS - DomainTools Investigations | DTI

Because it's always DNS, we wanted to share this fun finding of malware stored across DNS TXT records.

DomainTools Investigations | DTI
Jul 16 at 3:09pmWeb
Show threadargv minus one5d ago

@nixCraft

> Being that the malicious stager script is stored in a DNS TXT record is not by itself enough, some other action would have to take place first on a system to retrieve and execute the script

In other words, this is no threat to you unless your system is already compromised.

Show threadLuca Sironi5d ago

@nixCraft

Well, I remember Iodine that was tunnelling tcp over dns so...

Show threadMira5d ago
@nixCraft And “Let’s Encrypt” uses DNS TXT records for verification, so that may be impacted depending on mitigations
Show threadRIBBBITn3rding5d ago
@nixCraft Oh, good.
Show thread⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️5d ago
@nixCraft "blind" if dont remember the other times this was done
Show threadMike Torr5d ago
@nixCraft I might write a cyberpunk novel featuring vigilantes who track these people down and punish them in interesting ways. I expect it would be popular.
Show threadMarkus Peuhkuri5d ago
And now we just wait DNS to break in new ways before of ill-advised filters (as learned with ICMP).
@nixCraft
Show threadbeaiouns 5d ago
@nixCraft it's Bonzi Buddy's dog lmao
Show threadDaniel Cid5d ago
@nixCraft Always DNS...
Show threadPaul_IPv65d ago

@nixCraft

yup. unusual and hard to filter DNS for any random FQDN TXT record until you know to look for that one.

DNS has been used as a transport/VPN and file storage for quite a while. whee...