The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.
Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.
"SPF consists of a domain name server (DNS) request and response. If a sender’s DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.
"The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesn’t need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer."
By sending out a DNS request to the attackers' DNS server with a generated domain that has a .com or .net TDL, The Trojan - dubbed Spachanel - gets back a response with an SPF record that contains malicious domains or IP addresses:
The researcher speculates that this is done like this because the attacker wants to hide communication in legitimate DNS queries.
"If this malware connects to the attacker’s server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered," he explains.
"Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attacker’s attempt to maintain a solid connection between the malware and the attacker’s server."