Nitol Malware — Leveraging Dynamic DNS for Nefarious Gains
A malicious botnet called ‘Nitol’ was interrupted by Microsoft on Sept. 13. ‘Nitol’ was using a Dynamic DNS to enable the infected bot computers to communicate with the hacker’s command and control server.
For background, it is possible to serve a website from a home computer, but the difficulty is that your home Internet service provider provides a constantly changing address, also known as an Internet Protocol (IP) address. To overcome this problem, there are many services to map a static domain name (e.g., yoursite.com) to your constantly changing IP address. This kind of service is known as Dynamic DNS.
There are also malicious uses for Dynamic DNS. If your computer is infected with malware, a hacker will need a way to send instructions to that malware in order to carry out an attack, in most cases. The hacker needs an IP address in order for the malware to communicate back to the hacker’s ‘command and control’ server.
Instead of directly addressing the hacker’s IP address in malware, the malware is only aware of a domain name, which can be resolved into an IP address. The hacker wants to make it difficult to be traced or blocked, so it would be very handy for a hacker if they could quickly change their IP address associated with the domain that the malware is talking to.
In other words, as shown by Nitol, a hacker can quickly change their address, making it very difficult to find a pattern and block the communication.
This botnet, and many others, were using a specific Dynamic DNS to redirect messages to their command and control servers. The victims of the ‘Nitol’ botnet were targeted through computers sold pre-bundled with malware, and Microsoft’s work was to disrupt the supply chain causing the spread of the malware. This differs from the more common malware distribution methods through social engineering (e.g., email) and by browser-drive-by attacks (Java), but what they almost all have in common is the need to communicate to a command and control server.