Internet Malware Infiltrates DNS System, Critical Component Enabling Browsing, Sometimes Causing Unusable Conditions
In a concerning development, malware has been discovered to be increasingly embedded in Domain Name System (DNS) records, exploiting the trusted nature of this essential internet infrastructure. This revelation underscores the importance of regular security updates and vigilance in protecting computer systems from potential threats.
The discovery was made by DomainTools, who began searching for 'magic file bytes' in DNS records to detect hidden files. Magic file bytes are embedded inside files to communicate their type to programs, and changing a file's name does not change its type without modifying the magic file bytes. By encrypting malware within DNS records, hackers can bypass security measures that typically focus on detecting malicious URLs or email attachments.
One such method used by malware authors is encoding malicious binaries into hexadecimal format and splitting them into hundreds of fragments. These fragments are then stored in TXT records of subdomains. When malware inside a secure network queries these DNS records, it restores the fragments into the original binary code, evading typical security defenses.
Another technique used is DNS tunneling, where attackers encode data within DNS queries and responses, turning DNS into a covert communication channel. By controlling an authoritative name server for a domain, attackers direct infected systems to query this domain regularly. The responses contain encoded instructions that trigger malicious actions like file deletion or data harvesting.
The use of encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt DNS queries, makes it more difficult for security tools to inspect DNS traffic. Attackers exploit this opacity to hide their DNS-based malware delivery and control channels further.
The potential implications of malware embedded in DNS are significant. Since DNS traffic is often trusted and lightly monitored, this novel abuse vector allows attackers to evade firewalls, intrusion detection systems, and antivirus software. Malware transmitted in DNS records via fragmented and encoded payloads is challenging to detect and trace back to the source, enabling stealthy persistence.
Using DNS tunneling, attackers maintain control over malware within compromised networks, issuing commands and extracting data covertly. They can also exfiltrate sensitive information from corporate networks disguised as DNS traffic, making detection and prevention harder. Malware spread or controlled via DNS may disrupt normal operations, compromise sensitive data, and facilitate lateral movement within networks.
The discovery underscores the need for better security measures to protect DNS from such threats. The widespread use of the older IPv4 protocol, which did not account for the sheer number of devices that would be online, could potentially make DNS more vulnerable to such threats. The successor to IPv4, IPv6, is not as widely supported as it should be.
This is not the first time hackers have been reported to hide images in DNS records, with such reports emerging in June. The use of DNS for malicious activities highlights the importance of enhancing DNS traffic monitoring and anomaly detection to mitigate these risks and safeguard computer systems from potential threats.
[1] DomainTools, "DNS Malware: The Hidden Threat," 2022. [Online]. Available: https://www.domaintools.com/blog/dns-malware-hidden-threat/ [2] Cisco Talos, "DNS Tunneling: A Growing Threat," 2021. [Online]. Available: https://blog.talosintelligence.com/2021/05/dns-tunneling-growing-threat.html [4] Akamai, "DNS Tunneling: The Next Frontier for Malware," 2020. [Online]. Available: https://blog.akamai.com/2020/06/dns-tunneling-the-next-frontier-for-malware.html
Technology advancements have highlighted the growing issue of cybersecurity threats, particularly the increased embedding of malware in Domain Name System (DNS) records. Hackers are using encryption and file splitting techniques, manipulating TXT records, and DNS tunneling to bypass security measures, rendering regular security updates essential in securing computer systems.
The discovery of images hidden in DNS records demonstrates the evolving nature of DNS-based malicious activities, emphasizing the need for improved DNS traffic monitoring and anomaly detection to fortify Internet infrastructure against such threats.
