Trojan uses anti-spam system to keep in touch with C&C servers
Posted on 28.01.2013
Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.

The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.

Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.

"SPF consists of a domain name server (DNS) request and response. If a senderís DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.

"The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesnít need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer."

By sending out a DNS request to the attackers' DNS server with a generated domain that has a .com or .net TDL, The Trojan - dubbed Spachanel - gets back a response with an SPF record that contains malicious domains or IP addresses:


The researcher speculates that this is done like this because the attacker wants to hide communication in legitimate DNS queries.

"If this malware connects to the attackerís server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered," he explains.

"Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attackerís attempt to maintain a solid connection between the malware and the attackerís server."

Apart from this communication strategy, the Trojan's goals are pretty ordinary. It injects itself into the web browser process, and injects JavaScript tags that load advertisements into every HTML page, with the purpose of earning money for the attacker from clicks and sales of fake security software.






Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //