This malware updates its URLs by generating domain names based on a predefined algorithm, and by making an SPF (Sender Policy Framework) lookup for it. This is interesting because SPF was actually created to validate emails and prevent spam by detecting email spoofing. Using SPF, administrators can specify which hosts have permission to send mail from a given domain by creating an SPF record on the domain name system. Mail exchangers then use this DNS to verify that the mail from given domains is being sent by a host with the proper permissions. If the sender's hostname or IP is not listed in this record, it is probably a spoofed email.
This trojan is quite clever in hiding itself because it uses this security feature to sneakily obtain a list of new addresses to use. This successfully disguises traffic from firewalls and other security programs which would normally block requests to command-and-control servers."
Link to Original Source