The Trojan is doing the rounds in specially crafted word documents. Be especially careful on receiving and opening word documents from unknown sources.

Malware in the form of Remote Access Tool (RAT), that use a set of internet address to run, can be relatively easy  to cripple by blocking the addresses that it is wanting to use.

However, it is not always all that easy, as security researchers at Cisco’s Talos group found out to their dismay.

DNSMessenger, a brand new Windows PowerShell Trojan uses the network’s Domain Name Service for communication, which happens to be one of the cornerstones of the internet.

If you were to block DNS, other problems will likely to crop up. In fact, very few computers are equipped to block out DNS without causing a repercussion.

DNSMessnger is crafted such that it sends both sends commands to the victim’s machine and sends the results back to the attacker. This is an “extremely uncommon” two-way approach.

Its not as yet clear as to what the malware writer was hoping to accomplish with this approach, although the code trash-talks Cisco’s SourceFire security hardware.

Which could mean that this Trojan was specifically created to bomb specific targets as opposed to carpet bombing any machine that it gets hooked into.

There seems to be a silver lining to this malware. It is unlikely that you will bump into it since currently it is doing the rounds in a specially crafted Word documents.

Cisco has also specifically launched Umbrella that specifically targets counter DNS-based attacks.

If you do not have access to corporate tools such as Umbrella, be very careful before accepting word documents from unknown sources.