Hello
To get a bit of a change to that IPv6 topic...
In the last few days I observer strange virus DNS behaviour...
We get complaints that infected customers computer run webservers spreding viruses:
example: http://ei.adorelyric.com/happy_valentine.exe
$ for i in 1 2 3 4 5; do host ei.adorelyric.com; done ei.adorelyric.com has address 83.1.99.8 ei.adorelyric.com has address 85.193.231.237 ei.adorelyric.com has address 86.16.162.235 ei.adorelyric.com has address 88.167.171.94 ei.adorelyric.com has address 86.16.162.235
and so on, sometimes pointing to the IP of one of our customers.
TTL is Zero, so the entry expires immediately.
adorelyric.com has SOA record ns1.adorelyric.com. root.adorelyric.com. 20081223 300 300 300 0
;; QUESTION SECTION: ;adorelyric.com. IN NS
;; ANSWER SECTION: adorelyric.com. 0 IN NS ns1.adorelyric.com. adorelyric.com. 0 IN NS ns2.adorelyric.com. adorelyric.com. 0 IN NS ns3.adorelyric.com. adorelyric.com. 0 IN NS ns4.adorelyric.com. adorelyric.com. 0 IN NS ns5.adorelyric.com. adorelyric.com. 0 IN NS ns6.adorelyric.com.
No additional section with an IP being sent, so the resolver has to do more queries...
$ for i in 1 2 3 4 5; do host ns1.adorelyric.com.; done ns1.adorelyric.com has address 24.79.83.148 ns1.adorelyric.com has address 88.185.130.161 ns1.adorelyric.com has address 76.210.63.46 ns1.adorelyric.com has address 82.36.169.65 ns1.adorelyric.com has address 76.210.63.46
Well that virus runs an own dns server randomly pointing to other infected machines.
Domain Name: ADORELYRIC.COM Name Server: NS1.BESTMAZDADEALER.COM Name Server: NS2.BESTMAZDADEALER.COM Name Server: NS3.BESTMAZDADEALER.COM Name Server: NS4.BESTMAZDADEALER.COM Name Server: NS5.BESTMAZDADEALER.COM Name Server: NS6.BESTMAZDADEALER.COM
Even the registered DNS point to infected machines:
$ for i in 1 2 3 4 5; do host NS1.BESTMAZDADEALER.COM; done NS1.BESTMAZDADEALER.COM has address 212.87.4.145 NS1.BESTMAZDADEALER.COM has address 213.226.69.14 NS1.BESTMAZDADEALER.COM has address 61.92.213.121 NS1.BESTMAZDADEALER.COM has address 88.168.97.28 NS1.BESTMAZDADEALER.COM has address 88.168.97.28
Well one is static:
$ for i in 1 2 3 4 5; do host NS6.BESTMAZDADEALER.COM; done NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129
So this is the comand and control server? But also this IP seams to change from time to time.
So what's the best option to get those hosts down?
Kind regards Benoit Panizzon
Benoit Panizzon wrote: [..]
So what's the best option to get those hosts down?
Locally register that domain in your recursive DNS servers and point NS records for it to a box you monitor. Then any customer trying to resolve it is most very likely infected / trying to get to the bad stuff...
Greets, Jeroen
Hi Benoit,
On Thu, Feb 26, 2009 at 11:44, Benoit Panizzon benoit.panizzon@imp.chwrote:
In the last few days I observer strange virus DNS behaviour...
Its a double-fast-flux network: http://en.wikipedia.org/wiki/Fast_flux#Single-flux_and_double-flux http://spamtrackers.eu/wiki/index.php?title=Fast-flux#How_to_shut-down_a_fas... http://dnsbl.abuse.ch/fastfluxtracker.php
Jeroens answer is probably the easiest to implement.
-Aarno