Comments

It looks like another DNS compromise hack happening — 9 Comments

  1. Pingback:Cybersec News–June 2019 – My (Yet Another) Cybersecurity Blog

  2. “I didn’t know that DNS txt allows window.location.replace, unless it is a specific google DNS look up /resolve function or the scumbags behind this have found a way to set Their DNS servers to have the window.location.replace function as part of a typical DNS lookup”

    Nothing Google-specific. You can see it on my own DNS service https://dns.bortzmeyer.org/fetch.faonwvzso.ourmazdcompany.net/TXT The DNS TXT records can hold any character string. For the DNS, this JavaScript code is just text. The attackers probably hope it will be handled by stupid DNS->Web gateways that will blindly inject the text in the page.

  3. I think the point of the DNS TXT records is that the URL is then out-of-band for any HTTP content filtering — e.g. if there’s an anti-malware proxy or local antivirus that would normally catch and filter that *.icu URL, it might miss this because this way, that URL only ever crosses the network on port 53 UDP.

  4. This looks basically like a sort of XSS. So, why would one put the data in a Javascript context where it would be so parsed? I can see an automaticized rendering of the content, in say, an innerText context, but that wouldn’t redirect (any more than this page does).

  5. As Stephane said, you can have any kind of data in a TXT RR.
    Your email program is running code, which downloads code from DNS and runs it.
    If you run mail user agents that run untrusted code, what do you expect? After 25 years of MIME security issues with LookOut, why is anyone surprised?
    The purpose of this is to avoid having a constant part that the spam filters can lock onto, as Felix said.

  6. Hi Everyone!

    Thank you for posting this. I represent the .icu registry and once we were alerted to this issue we investigated the domains involved, did some reverse IP lookups and have taken action on 49 registered domain names. These names are now in a ‘Server Hold’ status which essentially renders them unusable. If the registrants want to have this status removed they have to remove all abusive content and notify us.

    While we do monitor our zone and the internet for articles like this one I also wanted to let you know that you can report any abusive .icu domains to abuse[@]nic.icu. You can also read more about how we handle domains that may be violating our terms and conditions here: (https://nic.icu/how-.icu-handles-abusive-domain-names/).

    Happy to answer any questions as well.

    Thanks,
    Kevin Kopas
    COO
    ShortDot SA – .icu Registry

  7. Pingback:Issue #46 – Volume XXI – SANS Newsbites – June 11th, 2019 | GeekCQ News

Leave a Reply

Your email address will not be published. Required fields are marked *