My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Odd DNS TXT Record. Anybody Seen This Before?

Published: 2015-10-21. Last Updated: 2015-10-21 13:46:26 UTC
by Johannes Ullrich (Version: 1)
18 comment(s)

A reader sent us an "odd looking" DNS TXT record. The record was recovered from an old, decommissioned, DNS server. Has anybody seen this before? The zone also include the Google Apps authentication records, so it is possible that this is a similar scheme. According to the reader, the change times on the file are from 2010, but it is not certain that these times are correct. The file was maintained manually, so it is unlikely that a bad ip management script corrupted it.

We have seen DNS TXT records used as a covert channel in the past, so it is is possible this attempts to try something like this, or that these records were used for reflective DNS attacks. At this point, I really have no idea and was wondering if someone else has seen this.

 

bradmbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradmsmall      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."
bradm      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
18 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Got packets? Kinda looks like EBCDIC, but would need to see the hex to verify.

Anonymous

Oct 21st 2015
9 years ago

ASCII art?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@Cc::.:::cc:C@@@@@@@@
@@@@@@@Oc::....:...:::co@@@@@@
@@@@@@c:::........:::::cc@@@@@
@@@@@o:::::::c::::c:....:@@@@@
@@@@O::::oooCoOOoCCOCc...O@@@@
@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@
@@@@@c::CCccoooOoooccoo..O@@@@
@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@
@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@
@@@@@OCooCCCCCoooCCCCoooO@@@@@
@@@OOO@OoooCccoocccCCooO@@@@@@
@@@@OOOOCcooCCCCCCooco@@@@@@@@
@@@@OOOOCocccoooCooccO@@@@@@@@
@@@OOOOOCooocc:c::cooC@@@@@@@@
@@O@OC..cCCoooCoCooooo.C@@@@@@
@@O@c..:ooCCCCoocoCooo:.o@O@@@
c..:....oCCCOCCCOCCoCo...:..cO
.....:...oCCCCCCOOCOo....:....

Anonymous

Oct 21st 2015
9 years ago

If you insert newlines in the right places, it becomes quite obvious - see http://pastebin.com/cxee44Q9

Anonymous

Oct 21st 2015
9 years ago

Honestly, looks like ASCII art to me, but I can't make heads or tails of what the oblongs might be...

Anonymous

Oct 21st 2015
9 years ago

After I broke the strings out into separate lines, it looks like someone did a conversion on their portrait or something to generate different sizes of ASCII art. Brad in big, medium, small, etc. Not the best likeness, and maybe I'm just making it into something it's not, but that's my $0.02.

A sample:

""@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
"@@@@@@@@@@Cc::.:::cc:C@@@@@@@@"
"@@@@@@@Oc::....:...:::co@@@@@@"
"@@@@@@c:::........:::::cc@@@@@"
"@@@@@o:::::::c::::c:....:@@@@@"
"@@@@O::::oooCoOOoCCOCc...O@@@@"
"@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@"
"@@@@@c::CCccoooOoooccoo..O@@@@"
"@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@"
"@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@"
"@@@@@OCooCCCCCoooCCCCoooO@@@@@"
"@@@OOO@OoooCccoocccCCooO@@@@@@"
"@@@@OOOOCcooCCCCCCooco@@@@@@@@"
"@@@@OOOOCocccoooCooccO@@@@@@@@"
"@@@OOOOOCooocc:c::cooC@@@@@@@@"
"@@O@OC..cCCoooCoCooooo.C@@@@@@"
"@@O@c..:ooCCCCoocoCooo:.o@O@@@"
"c..:....oCCCOCCCOCCoCo...:..cO"
".....:...oCCCCCCOOCOo....:....?\

Anonymous

Oct 21st 2015
9 years ago

I think that it may be an X-Face or similar. Wrap it at 30 characters.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@Cc::.:::cc:C@@@@@@@@
@@@@@@@Oc::....:...:::co@@@@@@
@@@@@@c:::........:::::cc@@@@@
@@@@@o:::::::c::::c:....:@@@@@
@@@@O::::oooCoOOoCCOCc...O@@@@
@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@
@@@@@c::CCccoooOoooccoo..O@@@@
@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@
@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@
@@@@@OCooCCCCCoooCCCCoooO@@@@@
@@@OOO@OoooCccoocccCCooO@@@@@@
@@@@OOOOCcooCCCCCCooco@@@@@@@@
@@@@OOOOCocccoooCooccO@@@@@@@@
@@@OOOOOCooocc:c::cooC@@@@@@@@
@@O@OC..cCCoooCoCooooo.C@@@@@@
@@O@c..:ooCCCCoocoCooo:.o@O@@@
c..:....oCCCOCCCOCCoCo...:..cO
.....:...oCCCCCCOOCOo....:....

Anonymous

Oct 21st 2015
9 years ago

It looks like ASCII art to me.

Anonymous

Oct 21st 2015
9 years ago

Haha, you have clearly been living in a code yellow world (https://www.schneier.com/blog/archives/2015/09/living_in_a_cod.html) too long. It's ASCII art! With a few well-placed line feeds and carriage returns, and rendered in a monospace font, it's legible as a silhouette of an avatar.

Clearly at least one other person thought of this, because this pastebin popped up today, also.

http://pastebin.com/cxee44Q9

Anonymous

Oct 21st 2015
9 years ago

Looks like ASCII art if you line it all up, perhaps just a place holder record?

Anonymous

Oct 21st 2015
9 years ago

Okay, I can't see the other comments (system says 8, but there's only 1 showing up) if this is a duplicate of someone else's comment, feel free to delete it.

This just looks like ASCII art. If you copy all the blocks from one of the nodes (billmsbig) and put line breaks between the pairs of quotes, it just looks like an old Ascii Art piece (someone's silhouette).

Nigel

Anonymous

Oct 21st 2015
9 years ago

Login here to join the discussion.


Top of page
Diary Archives