New Trojan Turns To DNS For C&C

A proof of concept Trojan named Backdoor.Fonamebot uses a backdoor in the DNS protocol for its command and control, reports the Symantec Security Response Weblog.

You might ask yourself, "What is the big deal with this development?" Well, as it turns out, DNS is oneof the most widely used protocols on the Internet today. Just about every time somebody accesses a Web page or sends an email, a DNS server is used somewhere in the process. For example, when you enter in the address www.symantec.com into your Web browser, a number of actions take place before you see the Web page you requested. One of the first is the sending of a DNS query to the local DNS server to turn that human-friendly address into an IP address that is more suitable for computers to understand and process.

DNS queries can run recursively. If the local DNS server does not know the name you are looking for, it can forward the request to another DNS server, and so on until the appropriate answer is found. If all goes well, the DNS server will return an IP address to your computer, which will then use it to send the actual HTTP request onto the destination Web server. So at this point we’ve established that the DNS service is really important to the smooth running of the Internet, so important that if it was to be taken offline, it would virtually bring the Internet to a halt. But what happens if the DNS infrastructure that the Internet knows and trusts is tainted.

Let’s say that if we had a piece of malware that can hide all its communications amongst the legitimate DNS traffic that is so pervasive on the Internet. Now, we potentially have a pretty nasty situation because we cannot simply just block DNS traffic based on the UDP/TCP port 53.

This once again points to the weaknesses with just blocking traffic based on ports and why blocking IRC ports is a short sighted and stupid security measure.

[DNS Botnet Phun]