Hello, welcome to the Thursday, May 26, 2016 edition of the Santernet Storm Center Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Seattle, Washington.

Palo Alto is reporting about new targeted malware that uses DNS as a command and control channel just fitting since today in class

we talked about DNS and the use of DNS as a covert channel and how to detect it now in

this particular case the domain that is being used for these DNS requests is logitech

usa.com likely in order to fit in with the popular network

equipment maker.

So people will think less of these suspect queries.

The host name itself, the first label here, is base 32 encoded data that's then being sent

to the command control center.

Server in response, there are text records that are being used in order to retrieve new commands.

An nominee detection should pick that out in particular the heavy use of text records,

but then again, text records are sometimes used, for example, by anti-malware products

in order to look up malware hashes. So knowing what's normal on the network is critical here

in order to identify these text records

as unusual. And web annotation service genius has come under some criticism for removing security

headers, in particular the content security policy header from websites that users are viewing

through this service.

Now the way the service works is it's really a proxy.

What you do is you add genius.it in front of whatever URL you're trying to annotate.

This will trigger the genius proxy to retrieve the document for you and then add whatever

annotation they would like to add.

...