Malware without files

Dr Irving Hofman

A new and unique class of malware has been developed which doesn't use files. This means it bypasses all antivirus software. The first of it's kind has been dubbed DNSMessenger as it uses the DNS protocol to infect a PC.

DNSMessenger relies on the standard DNS protocol, using it in a way it was never intended to be used. It starts as a Microsoft Word document sent via email and ends in the installation of software that allows a PC to be compromised and remotely controlled. It does all this in memory without ever writing anything to a file. As no files are involved, there's nothing for antivirus software to check.

It's a bit more technical than what I've described. If you want all the nitty gritty technical details, go here: http://blog.talosintelligence....

This type of malware illustrates the importance of protecting systems at various different levels, including the DNS level. I have previously referred to systems such as Cisco's OpenDNS Umbrella in previous blogs, which as it turns out prevents infection by DNSMessenger.

It appears that 2017 is going to be a year where antivirus software alone isn't going to offer enough protection and needs to be combined with other systems to provide adequate protection. DNSMessenger marks the beginning of a new class of malware that cannot be ignored.

*** UPDATE 20 March 2017. DNS has been leveraged once again as a means for sending data to a Command & Control server. Details here:
DNS is an easy target because the protocol is whitelisted in almost all enterprise networks and rarely kept under surveillance. DNS protection is no longer an option, it's become a mandatory requirement for any organisation.

Want more information?