A new malware named Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems.
DNS is a name resolution protocol that is used to convert website names to their IP addresses, so that people can use websites names rather than remembering IP addresses.
The Mozart attackers use DNS records to store commands, which are retrieved by the malware and then executed on the infected computer.
The risks associated with such malware could be mitigated using the following methods:
– Network intrusion detection and prevention systems that use network signatures and identify potentially malicious behaviour patterns.
– Analysing network data for uncommon data flows, such as a client sending significantly more or different types of data than usually.
– Analysing communication contents/ context to detect communications that do not follow the expected protocol behaviour for the port that is being used.
– Filtering network traffic, enforcing proxies and using dedicated servers for services, such as DNS and only allow those systems to communicate over respective ports/ protocols, instead of all systems within a network.