A Tale of Two Servers or Maybe More

Last October, Slate ran a series of reports of unusual communication between computers registered by Trump Tower, Alfa Bank, and Spectrum Health. Last spring, researchers working at several companies specializing in malware detection across the internet discovered some unusual communications between a server registered by the Trump Organization at Trump Tower on Fifth Ave and a server from Alpha Bank (a Russian bank).

These researchers discovered an unusual set of DNS queries between these computers as well as a third computer at Spectrum Health, controlled by the DeVos family. DNS or Domain Name System is a service that converts the name of a web site like DailyKos.com into its IP address. A DNS query is used to ask for the IP address of a site name.

A lot of networks keep their own set of DNS table to look up internet address. If the name is not found, then another table, perhaps at the network’s communication service or provider is used. These servers keep their DNS table synced between each other. A DNS query is used to request the IP address from a name. Since DNS is a requirement for most web services, DNS queries are usually allowed to pass through routers.

Malware designers know that DNS queries can pass through most routers, so some malware designers use them to pass data to and from malware. A technique known as DNS tunneling allows data to be placed in a DNS query. DNS tunneling is a form of covert channel. A covert channel is an ordinary communication that also carries a hidden message.

However, botnets can use DNS tunneling to act as a covert channel, and these covert channels are very hard to detect. These can be identified only by looking for any C&C information on the DNS in the covert channel. In all network systems nowadays DNS is served as it is, but protocols like HTTP, FTP are one of many methods to analyze and inspect the traffic. So the botnets using DNS tunneling have a better scope for malware writers.

Now, back to our servers owned by Trump Tower and Alfa Bank. Was there any communication going on in the DNS queries between the servers? The only way to know is to get ahold of the actual data packets comprising the DNS queries. A scientist going by the name of Tea Leaves plotted the logs of the DNS queries and they seemed to happen at politically active times in the Trump campaign.

This is a very sophisticated way to communicate with a low bandwidth channel. DNS queries may be logged, but the packets are rarely stored, unlike email. Encrypted messages can be passed, and if they are small like text or emails, they could easily be sent via a program such as iodine.

Thanks to greenbird at this comment, he had the link to The Jester’s tweet about using DNS tunneling for covert communication.

Until the actual DNS packets are inspected, we don’t know if there was any communication going on between these servers. People on the Trump Team are saying that these are only DNS queries, so no communication could be happening. But using DNS tunneling programs, we can see that one can communicate in a very hidden way from one server to another. Perhaps a hidden network can be constructed to allow several machines to communicate, or even a botnet.

And now, Alfa Bank has put out a statement saying that they were hacked and the hacker sent out spoofed DNS queries to make it look like suspicious activity has taken place between the two servers.

Alfa Bank believes that these malicious attacks are designed to create the false impression that Alfa Bank has a secretive relationship with the Trump Organization. In fact, there is not and never has been such a relationship.

Sounds a little defensive to me and the statement has been put out way too late. And who would bother with putting out spoofed DNS queries as most people would assume they are sent as a regular part of network operation? Only people specialized in low level internet operation and politics would have even noticed the strange pattern of queries. And fewer still would have even matched a capacity for communication with them.

[UPDATE]

Who else is connected to the servers at Alfa Bank? Why Robert Mercer is connected to this bank. According to The Bipartisan Report, Mercer’s company, Renaissance Technology, invested in two large Russian telecom companies, VimpelCom and Mobile TeleSystems. Those companies are waiting for a large payoff if Russia and the US become friendly. Additionally, VimpelCom is owned by by Ukrainian-born billionaire Mikhail Fridman. Fridman is Chairman of Alfa Bank and a personal friend of Vladimir Putin.

The connection between Mercer, Fridman, Trump, and the Russian government is beyond shady and during the course of the investigation (that needs to take place) it’s only a matter of time before Mercer’s name emerges.

The web of interconnected billionaire and shady business deals is reaching critical mass and something’s going to break. It will be interesting to say the least.

Advertisements

Hertz So Good

Hertz Rentals has placed car cameras in approximately 13% of its rental fleet. They claim that the cameras are not being used, and that they have no plans currently for using them.

Hertz added the camera as a feature of the NeverLost 6 in the event it was decided, in the future, to activate live agent connectivity to customers by video. In that plan the customer would have needed to turn on the camera by pushing a button (while stationary),” Hertz spokesperson Evelin Imperatrice explained. “The camera feature has not been launched, cannot be operated and we have no current plans to do so.”

hertzcam

This makes absolutely no sense. Why spend money adding cameras to your rental, when you don’t plan to use them. That would be a complete waste of money. Hertz probably already has a reason for installing the cameras, and reasons that are not helpful to the customer. I doubt that Hertz is really planning to use the cameras as a way to talk to renters about their car. No, the camera is probably there to monitor customers for mistreating the car and letting others drive.

According to the Fusion article:
In a 2013 blog post titled “Peace of Mind,” a developer involved in a Hertz hackathon wrote about using the in-car camera along with other sensors in the car to detect an accident and immediately get a customer a new vehicle. In the post, he included two screen shots of a live call, but Hertz spokesperson Imperatrice said everything done for the hackathon event was “essentially a mock-up.” “Even the video that appears to be from inside the car was not from a NeverLost,” she said.

But this raises a couple of issues. Wouldn’t Hertz be liable for wrecks occurring during videoconferencing while driving? Isn’t videotaping someone without their consent illegal in some states? What about minors, especially children and infants changing clothes or going to the bathroom in the car or van? When my daughter was a toddler and preschooler, it was easier to have a potty in the back of the van for her to use. Wouldn’t this leave Hertz liable for child porn charges if children are being videotaped without their clothes?

None of this makes any sense. The only reason that Hertz would be putting the camera in is to try to recover monetary damages from renters. It seems that few customers want a camera watching them drive. On the contrary, this may drive away some customers. But I have a solution, simply place a sticky note over the camera, or perhaps place a photo in front of the camera and have some fun. Also, I wonder how hard it would be to get images from the camera, or for that matter, any camera in any Hertz rental?