It seems even DNS records can be infected with malware now - here's why that's a major worry

News
By published

Crooks found a way to break up malware and hide it on DNS servers

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)
  • Researchers found evidence of Joke Screenmate malware hiding on DNS servers
  • Joke Screenmate is a harmless, prank malware
  • There are ways to defend against it

Hackers found a way to hide malware in the Domain Name System (DNS), cleverly evading detection and flying under the radar. This is according to security researchers from Domain Tools who, in a recent blog, detailed how they discovered the Joke Screenmate malware hiding on DNS servers.

DNS is essentially the internet’s address book, turning readable domain names (such as techradar.com) into IP addresses that computers use to locate services. DNS records come in various types, including TXT records, which are usually used to store descriptive text.

However, as Domain Tools explained, cybercriminals found a way to slice up malware into small encoded fragments, and place them into a DNS TXT record under different subdomains. It’s essentially a digital jigsaw puzzle scattered across different addresses. On its own, each part is harmless, but when reassembled, it forms a malicious file.

The protection you need against today’s evolving cyberthreats

The protection you need against today’s evolving cyberthreats

Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year.

Preferred partner (What does this mean?)

View Deal

Joke Screenmate

By using scripting tools, threat actors query the DNS records and reconstruct the malware without triggering the usual security alarms, and since DNS traffic is typically trusted, it doesn’t raise any suspicions.

In their writeup, Domain Tools researchers described finding Joke Screenmate, a program that triggers fake system errors and causes erratic cursor behaviors. But perhaps more alarmingly, they found a PowerShell stager, a script that can download and execute more destructive malware.

While the attack technique is perfidious, there are ways to defend. Cybersecurity teams should implement DNS traffic monitoring, looking for unusual patterns and repeated TXT queries. They can also use tools that inspect DNS records beyond simple resolution functions, and should maintain threat intelligence feeds that include malicious domains and subdomains.

So far, there were very few examples of in-the-wild abuse, apparently, but since the technique seems to be rather simple to pull off, it wouldn’t be too surprising to see it become more popular in the coming months.

Via Tom's Hardware

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.