Hello, welcome to the Tuesday, August 3, 2021 edition of the Santernat Storm Center's Stormcast. My name is Johannes Ulrich and I'm recording from Stockholm, Germany.

Let's first catch up with some of the diaries from this weekend. Now, Ghee took a look at unsolicited DNS queries. Most of them appear to be related

to still amplified DNS reflection attack.census.gov still ranks up there quite well. Of course,

version.bind, just some basic reconnaissance. Interesting how common actually this still is,

even though I don't think there is any sort of recent exploit against a bind

that then could be used as a follow-on.

Now, there were also a couple of researchers that are looking for open resolvers,

like, for example, Shadow

servers DNS scan. In my opinion, there are two lessons to take away from here. First of all,

make sure version.bind is disabled. If you are running Bind, it's pretty straightforward to do

that, and part of most of the secure

configuration templates for bind. And secondly, yes, people are still able to spoof DNS queries.

So good egress, incres filtering, but if you're listening to this, you're probably not part

of the problem.

And then DDA wrote a quick note about changing bad files on the fly, and what this is really about is some unexpected behavior of these bad files. If you think about it, then that's

how I thought it worked before I read D DA's diary was that if you run a

bad file, it reads the file and then executes it. But apparently that's not really how it works.

Bad files are read one part at a time and you're able to still alter future parts of the file on disk while the file is being

executed. A couple caveats here, you have to make sure that you don't affect anything that

already executed, first of all, and then you must not change the file size. So as long as you stick within those

boundary conditions, you should be able to change a bad file as it's being executed, which

of course could lead to interesting obfuscation techniques. And in hindsight, it makes

...