Most malware is severely crippled if it can’t contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.
The latest innovation in this particular “field” has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.
Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.
“SPF consists of a domain name server (DNS) request and response. If a sender’s DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record,” explains Katsuki.
“The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesn’t need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer.”
By sending out a DNS request to the attackers’ DNS server with a generated domain that has a .com or .net TDL, The Trojan – dubbed Spachanel – gets back a response with an SPF record that contains malicious domains or IP addresses:
The researcher speculates that this is done like this because the attacker wants to hide communication in legitimate DNS queries.
“If this malware connects to the attacker’s server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered,” he explains.
“Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attacker’s attempt to maintain a solid connection between the malware and the attacker’s server.”