The fun thing about curses is that they propagate. In this case, hackers using the Domain Name System (DNS) to distribute malware inspired Michael "B'ad Samurai" Bunner to create DNS Mad Libs, which uses the same technique as the recently-discovered DNS malware distribution hack to provide a distributed version of the popular word game.
"This project is inspired by previous research on the use of DNS TXT records to store and retrieve data, which can be used for various purposes including malware distribution and command & control," Bunner said in the project's README. "This is typically done by embedding malicious payloads in DNS records, which can then be resolved by compromised systems. In this case we utilize public API endpoints over HTTPS to retrieve the data from a trusted service, obscuring the true source of the data."
My report on the DNS-enabled malware includes a more [adjective] description of the system; the gist is that it turns domain names ("tomshardware.com") into IP addresses (199.232.194.114) to make browsing the web more convenient. But that explanation ignored an important aspect of DNS: the ability to set a time-to-live (TTL) for its records.
A domain name is rarely associated with a particular IP address forever—sometimes it's changed because of a website operator's decision, such as switching to a different host, and sometimes it's simply associated with a dynamic IP address that changes on the whims of an upstream internet service provider. DNS needs to be able to handle either of those cases.
That's where TTL comes in. The setting effectively tells DNS providers how often to check to make sure a record hasn't been updated. A record that's expected to change on a semi-regular basis will be given a short TTL; a record that's expected to change less frequently will be given a long TTL. (And when those expectations aren't met, well, that's when things break.)
DNS Mad Libs, like the embedded malware example before it, uses the ability to set a long TTL for DNS records to store more information than the system's designers would have expected. That way, it doesn't require a dedicated server to set up a new mad-lib—it just needs a series of DNS records for a domain set up in the way expected by the game's interface.
It just goes to show you: any sufficiently [adjective] technology really is [adjective] from [noun], especially when the [noun] is involved.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
