Nitol Malware — Leveraging Dynamic DNS for Nefarious Gains

September 19, 2012 by Jason Soroko     No Comments

A malicious botnet called ‘Nitol’ was interrupted by Microsoft on Sept. 13. ‘Nitol’ was using a Dynamic DNS to enable the infected bot computers to communicate with the hacker’s command and control server.

Malware

For background, it is possible to serve a website from a home computer, but the difficulty is that your home Internet service provider provides a constantly changing address, also known as an Internet Protocol (IP) address. To overcome this problem, there are many services to map a static domain name (e.g., yoursite.com) to your constantly changing IP address. This kind of service is known as Dynamic DNS.

There are also malicious uses for Dynamic DNS. If your computer is infected with malware, a hacker will need a way to send instructions to that malware in order to carry out an attack, in most cases. The hacker needs an IP address in order for the malware to communicate back to the hacker’s ‘command and control’ server.

Instead of directly addressing the hacker’s IP address in malware, the malware is only aware of a domain name, which can be resolved into an IP address. The hacker wants to make it difficult to be traced or blocked, so it would be very handy for a hacker if they could quickly change their IP address associated with the domain that the malware is talking to.

In other words, as shown by Nitol, a hacker can quickly change their address, making it very difficult to find a pattern and block the communication.

This botnet, and many others, were using a specific Dynamic DNS to redirect messages to their command and control servers. The victims of the ‘Nitol’ botnet were targeted through computers sold pre-bundled with malware, and Microsoft’s work was to disrupt the supply chain causing the spread of the malware. This differs from the more common malware distribution methods through social engineering (e.g., email) and by browser-drive-by attacks (Java), but what they almost all have in common is the need to communicate to a command and control server.

Jason Soroko

About

Jason Soroko is Head of Malware Research for Entrust. Soroko has spent more than 10 years with Entrust in various developer or architect roles. As malware becomes more advanced, the need for Entrust to understand evolving threats requires considerable investment. Soroko frequents security conferences and tradeshows to educate the industry on identity-based security and ensures Entrust stays at the forefront of understanding this offensive capabilities possessed by today’s malicious actors. Prior to joining Entrust, Jason worked in Geographic Information Systems (GIS) for the oil and gas industry.

Add to the Conversation