Experts Discovered A New Attack Called DNSMessenger Which Is Used For Virus Infections

Security researchers discovered a dangerous new attack called DNSMessenger which is used to infect target computers with viruses.

DNSMessenger Attack Can Lead To Dangerous Consequences

Contemporary infection techniques and sophisticated payloads are the reason why virus attacks continue to be successful. To a large degree the development of new methods is one of the most dangerous incidents which are being reported in the specialist cyber security community, as they can carry all virtually all types of malware – viruses, ransomware, Trojans, browser hijackers and etc.

The newly discovered method is called DNSMessenger and it relies on the use of DNS queries which carry criminal PowerShell commands on the compromised computers.

What is DNS? – DNS stands for Domain Name System, a naming service which associates the unique IP addresses to human-readable domains.

What is PowerShell? – PowerShell is a powerful scripting language and a command-line shell interface which is part of the modern Microsoft Windows operating systems.

The initial infection vector begins with a modified Microsoft Word document which features an “Enable Content” prompt. This a well-known scam in which hackers distribute the files mostly via email spam campaigns. They make the targets interact with the document, usually via false notifications and messages. When the user enables the prompt the bundled dangerous macros launches a Visual Basic commands which executes a PowerShell command. This initiates the first-stage attack. The following steps are then initiated by the virus:

  1. The initial code is encoded using the Base64 function and compressed using gzip. This allows the commands to be executed without any write passes to the infected machines. This makes discovery very difficult by most anti-virus and anti-malware solutions.

  2. The PowerShell code continues and depending on the customization it may set up persistence by modifying several registry entries. Its interesting to note that the current technique changes different entries according to the privileges level of the user.

  3. The malware creates a persistent environment and delivers the included malware payload to the system through several stages of PowerShell commands.

  4. Network communication is engaged with the remote C&C servers.

The characteristic which sets this technique apart from other methods is that it relies on a fileless approach. The technique relies on multiple extensive PowerShell stages which are devised in such a way to avoid any security software detection algorithms as possible. Its interesting to note that the malware uses DNS TXT messages to download remote PowerShell commands which lead to the actual infection. During the different layers the primary downloader sends out DNS queries to one of the domains hardcoded in the script. As a consequence the virus can be delivered to the target system in a convenient manner after the security checks have been bypassed. Its interesting to note the ability to deliver various system modifications according to the obtained access privileges. Additional damage is caused by the following:

  • Execution of Remote PowerShell commands– Such commands can be carefully selected by the attackers based on predefined infection case scenarios.

  • Windows Settings and Environment Modification – The code can modify key registry values and other important Windows settings. They can render the computer vulnerable to other types of attacks or even unusable. Further damage can be caused which can even permanently affect hardware and software components. The typical persistence introduction is also supplemented by infecting various processes and creating various scheduled tasks.

  • Malware Infection – Further viruses can be delivered to the infected systems which may include banking Trojans, ransomware and etc.

The DNSMessenger attack proves that the computer criminals are not going to stop developing ingenious methods which feature advanced stealth protection. The remote C&C servers choose to send the malicious commands only to their intended victims which makes in-depth analysis much more difficult. According to the researchers the technique proves the notion that network protocol inspection is important in preventing dangerous attacks such as this one. To this date DNS was not considered a popular protocol for carrying out malicious activities. The analyzed attack campaign was targeted against certain predefined targets and the experts suspect that it may be employed once again in the near future.

We recommend that our readers use a quality anti-malware solution to protect themselves of any possible attacks.

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts