Now They’re Hiding Malware in Hexadecimal Chunks Inside DNS Records

As If DNS Wasn’t Already Enough Of A Headache

Security researchers have found yet another way to brighten your day; you can blame Ian Campbell of DomainTools for this new ray of sunshine.  He has found hackers using DNS to infect machines in a new way, beyond the currently known DNS exploit of hiding PowerShell scripts in the TXT records on a site.  In this case malicious actors translate their code into hex, and then stash it in various TXT records of subdomains associated with a single domain.  With a bit of tweaking to the site to ensure your machine queries enough of those DNS records to get all the hex code, your computer could be infected without you ever doing anything other than visiting that site.

Antivirus and other protective software do not monitor DNS requests, and even something like a Pi-hole or DNSFilter might not protect you from this sort of attack.  Thankfully the complexity of the malware that can be spread this way is limited, you can only fit so much hex code in a TXT record before it would become obviously modified and as anyone who has to slap DNS around knows, there’s no guarantee that a machine won’t just ignore some DNS records.  It is still rather worrisome to see yet another attack surface appear and need to be defended against.

One of the uses that this attack has been used for suggests it might actually be something websites might adopt on purpose.  There was a site found with this hex code in it’s DNS and the code was specifically designed to feed AI bots prompt injections, with some amusing instructions.  This could, at least briefly, stop websites from being treated as free training data by the LLM bots plaguing the web.