DomainTools reported that someone found a way to embed malware in Domain Name System (DNS) records, which means we have something new to blame on the system responsible for pretty much every networking problem most people may have.
For anyone fortunate enough not to know already, DNS is the system that enables you to enter something like “tomshardware.com” in your browser’s address bar and, ideally, be taken to the IP address associated with our site. Without it we’d have to enter those IP addresses manually—with no guarantee that an IP address that worked yesterday will continue to work today. Why? Because the most common Internet Protocol, IPv4, didn’t account for the sheer number of devices we’d all want to put online, and its successor, IPv6, still isn’t supported as well as it should be.
So we have DNS. The process goes something like this: a website uses DNS records to indicate what IP address should be associated with its domain name, browsers query DNS providers for those records when someone asks to visit a website, and then, if everything goes well, the site and its visitor are connected by the wonders of the web. (By which I mean the collection of interconnected protocols and services that are far more complicated than I’ve conveyed in this overview.) DNS is ubiquitous—which means it was only a matter of time before someone found a way to abuse it.
The first step towards exploiting DNS in ways beyond its intended usage was taken when Ben Cartwright-Cox outlined a way to establish a file system on top of DNS. That system should be limited to plain text, but Cyber Security News then reported in June that hackers were hiding images in DNS records, which prompted DomainTools to begin “a search at the beginning of DNS RDATA TXT records for magic file bytes in hexadecimal format for a wide range of executables and common file types.” And it found some! Which means there’s more ‘splainin to do.
Most of us identify a file’s type by the extension included at the end of its name: .mp3 for audio files, .txt for plain text, and so on. But in most cases there isn’t anything special about the extension—which is why you can’t necessarily turn a JPEG into a PNG, for example, simply by changing its name from “example.jpg” to “example.png” in a file manager. (Which is why some file managers hide filename extensions by default.) Instead, a file communicates its type by way of “magic file bytes” embedded inside of it, which programs then use to figure out how they’re supposed to handle the file.
Now that we’ve established that computers are cursed, especially when we expect them to communicate with each other by way of a bunch of intermediary computers that we pretend don’t exist, let’s continue with DomainTools’ discovery.
The company said that “a malicious actor was using DNS TXT records to store and possibly deliver [Joke/ScreenMate] malware and stagers for likely Covenant C2 malware infections” from 2021-2022. DomainTools described that malware as “prank software” that can be used to cause system performance issues; “present a continuous stream of jokes, images, or animations that can be distracting and difficult to stop”; and “display fake error messages, fictitious virus warnings, or animations that mimic the deletion of system files,” among other things, on infected devices.
It would be interesting to see if more hackers start to take advantage of DNS like this, especially since these reports have demonstrated the relative ease with which the system can be used to hide non-text information, deploy malware, etc.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
