You can’t easily stop this malware in its tracks.
If malware uses a remote command-and-control server to function, it’s relatively easy to cripple it by blocking the internet addresses it uses. It’s not always that easy, however, and researchers at Cisco’s Talos group have found a textbook example of this in action. A recently discovered Windows PowerShell trojan, DNSMessenger, uses the Domain Name Service for communication — you know, one of the cornerstones of the internet. Few computer users are equipped to block DNS without causing other problems, and they might not notice unusual data traffic even if they’re looking for it. While using DNS isn’t completely unheard of, DNSMessenger uses an “extremely uncommon” two-way approach that both sends commands to victim machines and sends results back to the attacker.
It’s not certain what the malware writers were hoping to accomplish, although the code trash-talks Cisco’s own SourceFire security hardware. This was likely aimed at specific targets rather than a carpet bombing campaign.
The good news? You probably won’t run into this. The malware is currently distributed in specially coded Word documents, and Cisco recently launched a product (Umbrella) specifically designed to counter DNS-based attacks like this. Even so, this shows just how stealthy attacks can get — and when individuals don’t usually have access to corporate tools like Umbrella, you’ll still have to be extra-careful about the Word files you receive online.