News Malware found embedded in DNS, the system that makes the internet usable, except when it doesn't

Toggle sidebar Toggle sidebar
Dumb question: Wouldn't the easiest solution be to make sure that all DNS resolvers only handle plain text responses, with any other magic-byte embedded payloads being dropped on the floor?
 
The Internet was not designed to be secure, not really anyway. Its time to start taking steps to deploy 'internet 2' already used in some colleges (etc) to everyone. It's faster & more efficient but more importantly it's actually designed with security in mind.

What we have now served it's purpose but the number of ways an attacker can come at you is staggering & of a threat actor really wants to target someone and can put in the time.. they will succeed. It requires significant skill but that's what happens when a complex system isn't designed to be secure. Doesn't help that we keep putting band-aids on the wounds and adding functionality on top of the proverbial screen door on a submarine.
 
  • Like
Reactions: Hotrod2go
Jame5 said:
Wouldn't the easiest solution be to make sure that all DNS resolvers only handle plain text responses, with any other magic-byte embedded payloads being dropped on the floor?
Click to expand...
Because not everything is plain text just like the web page you see Right now (you could include images in this category, I'll explain later (TCP is slower, but safer intrgrity)).

In the internet you can have complex responses, like a voip call or even a YouTube stream (UDP, which means more speed and interference) which is essentially the "magic-byte payload" you're talking about.

While TCP is safer in integrity, a Man-In-The-Middle attack could replace all of your browser images for a beautiful potato picture. Which it looks like it could been happening here.

You can't just cut off from the internet something just because it looks like a byte stream. In fact, the plain text you see is a human-readable format of the so called "magic byte payload".

Edit: Note that even plain text has its byte encoding like UTF-8 or the dino ASCII and I'm not taking it into account because we have ways to detect if something is structured bytes or plain text.
 
Last edited:
If you think DNS can handle UTF8-encoding, you underestimate how old the protocol is.

To the other point, even with a base64 payload, if you treat it as plain text, nothing happens. Base64 encoding is only dangerous if it is decoded rather than treated as a string by the resolver. Unless the dns resolver code in your cli or browser is for some reason designed to handle and decode base64 or really anything except basic ASCII, it's false to assume that it would cause problems other than being unable to be resolved.

You both seem to be conflating DNS resolution with other forms of TCP/UDP communication.
 
d0x360 said:
...

What we have now served it's purpose but the number of ways an attacker can come at you is staggering & of a threat actor really wants to target someone and can put in the time.. they will succeed. It requires significant skill but that's what happens when a complex system isn't designed to be secure. Doesn't help that we keep putting band-aids on the wounds and adding functionality on top of the proverbial screen door on a submarine.
Click to expand...
Ok, but to be fair, you're talking about internet 1.0 era technologies as well, such as email. Email alone is the initial cause for 70-90% of data breaches, so a "secure" "email 2.0" would be huge in itself. It's also a herculean effort already to replace email as it exits today, which is why it also continues to receive bolt-ons like DKIM, DMARC, ARC Sealing, DNS DANE, and so on. There's a reason for that though: sometimes things just need evolution, not a revolution.

Much of the world's population grew up during that era or even prior -- it's really about minds and awareness. Social engineering isn't close to being beaten and if anything is only swinging in attackers' favors as you see those kids in the U.K. and elsewhere hacking Microsoft, nVidia, and more recently huge grocery chains, airlines, etc. (look up "Lapsus$" and "Scattered Spider") using simple IT help desk tricks.

Anyways, modern [black hat] hacking doesn't require significant skill as there's more and more open source and low cost tooling like phishing kits and Phishing-as-a-Service, Malware-as-a-Service, separation of Initial Access Brokers from the operating ransomware affiliate or other form of bad actor, and so on. Script Kiddies, a class of unethical hacker, are prevalent and proliferate as ever, and really a full-spectrum scale of skills and knowledge in between. So I suppose to your point, band-aided technologies have only compounded this problem, but I believe it's more of a human problem than a technology one. Look at how many billions of dollars scammers are scamming people without even a need for hacking networks or devices... just hacking the human mind!

On that bombshell... an honorable mention to the late Kevin Mitnick! 🫡
 
DS426 said:
Ok, but to be fair, you're talking about internet 1.0 era technologies as well, such as email. Email alone is the initial cause for 70-90% of data breaches, so a "secure" "email 2.0" would be huge in itself.
Click to expand...

To get to the stupid massive populace of the world just give them that basic info. 70-90% of breaches are email 1.0. Email 2.0 is secure.
Most won't know 1.0 from 2.0 so there would need to be something really basic that everyone could identify that would let people know they are using 2.0. (Imagine the spam messages in old email. 'Click me! I'm the new email type!)
 
This is massively old news. DNS has been used for data transfer for well over a decade. Hell I got my B.S. in 2017 doing data transfer via embedded NTP traffic.
 
Jame5 said:
To the other point, even with a base64 payload, if you treat it as plain text, nothing happens. Base64 encoding is only dangerous if it is decoded rather than treated as a string by the resolver
Click to expand...
I'm not conflating anything. The point is that it can be used to store malware payloads. Instead of a script downloading the payload from a URL, it can be stored directly in a DNS record. Everyone is scanning URLs for malicious content, but I doubt many systems are scanning for malware directly in TXT records.
 
Geef said:
To get to the stupid massive populace of the world just give them that basic info. 70-90% of breaches are email 1.0. Email 2.0 is secure
Click to expand...
I wonder if we'll ever get an email 2.0. There's still no widely-accepted email protocols that even handle two factor authentication - neither IMAP nor SMTP do. JMAP might, but it hasn't been widely adopted yet. It'd be nice to move to a stateless protocol too.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom