This is pretty clever.
Using DNS as a comms channel for malware isn't necessarily a new idea, but these attackers delivered the payload (a redirect URL to a malware site) via a dynamic TXT record in the DNS records as a way to get around a web application firewall traffic detection system.
This malware uses custom subdomains to pass information about each visitor to the TDS. As we showed above, the DNS queries are issued for dynamically generated domain names with this format:
The domain will be different for each visitor (the
<visitor-ip>part) and, even if the same visitor loads the same page again, the
<random-number>will make the subdomain unique anyway. This ensures that each visit is handled individually and no one gets a cached DNS response from Google DNS (the TXT records have TTL:600 so they are cached for 10 minutes).
In addition to the visitor IP, the TDS gets information about the infected site, which is probably used as a beacon that sends a signal that the website is still infected.