A proof-of-concept (POC) backdoor was recently discovered to be utilizing DNS protocol instead of the usual IRC channels to exchange information between zombie systems and bot masters.
Detected by Trend Micro as BKDR_FONAMEBOT.A, it contains a predefined list of domain names in its body. From the list, it randomly chooses a domain name, and then sends a query to a malicious DNS server. It does this random act of choosing to foil easy detection. The DNS is believed to be the default DNS server of the affected system. However, if this server is unknown, the query is then sent to the malicious user’s DNS server instead. Once the request has been received by the malicious DNS, it then replies to the query by allowing this backdoor to perform commands that can eventually compromise systems.
This backdoor can further cloak its communication capabilities, and compromised DNS servers can be used to cover tracks of remote malicious users. It may have just blazed a new trail for backdoors. Greater adoption of the same tactic would mean that users could be more vulnerable to phishing, and perhaps itâ??s time DNS traffic is more closely looked into by anti-malware products.