The fun thing about curses is that they propagate. In this case, hackers using the Domain Name System (DNS) to distribute malware inspired Michael “B’ad Samurai” Bunner to createDNS Mad Libs, whichuses the same technique as the recently-discovered DNS malware distribution hackto provide a distributed version of the popular word game.
“This project is inspired by previous research on the use of DNS TXT records to store and retrieve data, which can be used for various purposes including malware distribution and command & control,” Bunner said in the project’sREADME. “This is typically done by embedding malicious payloads in DNS records, which can then be resolved by compromised systems. In this case we utilize public API endpoints over HTTPS to retrieve the data from atrustedservice, obscuring the true source of the data.”
My report onthe DNS-enabled malwareincludes a more [adjective] description of the system; the gist is that it turns domain names (“tomshardware.com”) into IP addresses (199.232.194.114) to make browsing the web more convenient. But that explanation ignored an important aspect of DNS: the ability to set a time-to-live (TTL) for its records.
A domain name is rarely associated with a particular IP address forever—sometimes it’s changed because of a website operator’s decision, such as switching to a different host, and sometimes it’s simply associated with a dynamic IP address that changes on the whims of an upstream internet service provider. DNS needs to be able to handle either of those cases.
That’s where TTL comes in. The setting effectively tells DNS providers how often to check to ensure a record hasn’t been updated. A record that’s expected to change on a semi-regular basis will be given a short TTL; a record that’s expected to change less frequently will be given a long TTL. (And when those expectations aren’t met, well, that’s when things break.)
DNS Mad Libs, like the embedded malware example before it, uses the ability to set a long TTL for DNS records to store more information than the system’s designers would have expected. That way, it doesn’t require a dedicated server to set up a new mad-lib—it just needs a series of DNS records for a domain set up in the way expected by the game’s interface.
It just goes to show you: any sufficiently [adjective] technology really is [adjective] from [noun], especially when the [noun] is involved.
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
FollowTom’s Hardware on Google Newsto get our up-to-date news, analysis, and reviews in your feeds. verify to click the Follow button.
Nathaniel Mott is a freelance news and features writer for Tom’s Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
