Trojan uses anti-spam system to keep in touch with C&C servers
Posted on 28.01.2013
Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.

The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.

Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.

"SPF consists of a domain name server (DNS) request and response. If a senderís DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.

"The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesnít need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer."

By sending out a DNS request to the attackers' DNS server with a generated domain that has a .com or .net TDL, The Trojan - dubbed Spachanel - gets back a response with an SPF record that contains malicious domains or IP addresses:

The researcher speculates that this is done like this because the attacker wants to hide communication in legitimate DNS queries.

"If this malware connects to the attackerís server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered," he explains.

"Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attackerís attempt to maintain a solid connection between the malware and the attackerís server."

Apart from this communication strategy, the Trojan's goals are pretty ordinary. It injects itself into the web browser process, and injects JavaScript tags that load advertisements into every HTML page, with the purpose of earning money for the attacker from clicks and sales of fake security software.


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Sep 19th