A Tale of Two Servers or Maybe More

Last October, Slate ran a series of reports of unusual communication between computers registered by Trump Tower, Alfa Bank, and Spectrum Health. Last spring, researchers working at several companies specializing in malware detection across the internet discovered some unusual communications between a server registered by the Trump Organization at Trump Tower on Fifth Ave and a server from Alpha Bank (a Russian bank).

These researchers discovered an unusual set of DNS queries between these computers as well as a third computer at Spectrum Health, controlled by the DeVos family. DNS or Domain Name System is a service that converts the name of a web site like DailyKos.com into its IP address. A DNS query is used to ask for the IP address of a site name.

A lot of networks keep their own set of DNS table to look up internet address. If the name is not found, then another table, perhaps at the network’s communication service or provider is used. These servers keep their DNS table synced between each other. A DNS query is used to request the IP address from a name. Since DNS is a requirement for most web services, DNS queries are usually allowed to pass through routers.

Malware designers know that DNS queries can pass through most routers, so some malware designers use them to pass data to and from malware. A technique known as DNS tunneling allows data to be placed in a DNS query. DNS tunneling is a form of covert channel. A covert channel is an ordinary communication that also carries a hidden message.

However, botnets can use DNS tunneling to act as a covert channel, and these covert channels are very hard to detect. These can be identified only by looking for any C&C information on the DNS in the covert channel. In all network systems nowadays DNS is served as it is, but protocols like HTTP, FTP are one of many methods to analyze and inspect the traffic. So the botnets using DNS tunneling have a better scope for malware writers.

Now, back to our servers owned by Trump Tower and Alfa Bank. Was there any communication going on in the DNS queries between the servers? The only way to know is to get ahold of the actual data packets comprising the DNS queries. A scientist going by the name of Tea Leaves plotted the logs of the DNS queries and they seemed to happen at politically active times in the Trump campaign.

This is a very sophisticated way to communicate with a low bandwidth channel. DNS queries may be logged, but the packets are rarely stored, unlike email. Encrypted messages can be passed, and if they are small like text or emails, they could easily be sent via a program such as iodine.

Thanks to greenbird at this comment, he had the link to The Jester’s tweet about using DNS tunneling for covert communication.

Until the actual DNS packets are inspected, we don’t know if there was any communication going on between these servers. People on the Trump Team are saying that these are only DNS queries, so no communication could be happening. But using DNS tunneling programs, we can see that one can communicate in a very hidden way from one server to another. Perhaps a hidden network can be constructed to allow several machines to communicate, or even a botnet.

And now, Alfa Bank has put out a statement saying that they were hacked and the hacker sent out spoofed DNS queries to make it look like suspicious activity has taken place between the two servers.

Alfa Bank believes that these malicious attacks are designed to create the false impression that Alfa Bank has a secretive relationship with the Trump Organization. In fact, there is not and never has been such a relationship.

Sounds a little defensive to me and the statement has been put out way too late. And who would bother with putting out spoofed DNS queries as most people would assume they are sent as a regular part of network operation? Only people specialized in low level internet operation and politics would have even noticed the strange pattern of queries. And fewer still would have even matched a capacity for communication with them.

[UPDATE]

Who else is connected to the servers at Alfa Bank? Why Robert Mercer is connected to this bank. According to The Bipartisan Report, Mercer’s company, Renaissance Technology, invested in two large Russian telecom companies, VimpelCom and Mobile TeleSystems. Those companies are waiting for a large payoff if Russia and the US become friendly. Additionally, VimpelCom is owned by by Ukrainian-born billionaire Mikhail Fridman. Fridman is Chairman of Alfa Bank and a personal friend of Vladimir Putin.

The connection between Mercer, Fridman, Trump, and the Russian government is beyond shady and during the course of the investigation (that needs to take place) it’s only a matter of time before Mercer’s name emerges.

The web of interconnected billionaire and shady business deals is reaching critical mass and something’s going to break. It will be interesting to say the least.