[Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes

Paul Tinsley pdt at ...1716...
Wed Oct 1 18:53:04 EDT 2003


Don't know if this will help anybody else but I have added this to all 
my sensors that see internal traffic headed for firewalls:

var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]
alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic"; 
sid:900027; rev:1;)

This along with a rule in my alerting software that alerts once per hour 
per machine that is triggering this alert seems to be working pretty well.

Harris, Michael C. wrote:

>I have laid hands on a machine hit with the Qhosts-1 Trojan 
>
>It drops a replacement hosts file in the $system%\help\ directory
>and also makes the registry changes described in the NAI posting
>http://vil.nai.com/vil/content/v_100719.htm
>
>DNS detail, hosts file details, captured headers all follow below the signature block 
>sorry for the length of message and no I don't have a full capture
>
>Mike 
>-------------------------------------------------------------------
>Michael C Harris
>System Security Analyst - GSEC
>University of Missouri Health Center
>harrismc at ...1375...  KC0PAH
>-------------------------------------------------------------------
>
>DNS changed to 
>69.57.146.14 
>69.57.147.175  
>
>hosts file included the following entries
>
>88.88.88.88 elite 
>207.44.194.56 www.google.akadns.net 
>207.44.194.56 www.google.com 
>207.44.194.56 google.com 
>207.44.194.56 www.altavista.com 
>207.44.194.56 altavista.com 
>207.44.194.56 search.yahoo.com 
>207.44.194.56 uk.search.yahoo.com 
>207.44.194.56 ca.search.yahoo.com 
>207.44.194.56 jp.search.yahoo.com 
>207.44.194.56 au.search.yahoo.com 
>207.44.194.56 de.search.yahoo.com 
>207.44.194.56 search.yahoo.co.jp 
>207.44.194.56 www.lycos.de 
>207.44.194.56 www.lycos.ca 
>207.44.194.56 www.lycos.jp 
>207.44.194.56 www.lycos.co.jp 
>207.44.194.56 alltheweb.com 
>207.44.194.56 web.ask.com 
>207.44.194.56 ask.com 
>207.44.194.56 www.ask.com 
>207.44.194.56 www.teoma.com 
>207.44.194.56 search.aol.com 
>207.44.194.56 www.looksmart.com 
>207.44.194.56 auto.search.msn.com 
>207.44.194.56 search.msn.com 
>207.44.194.56 ca.search.msn.com 
>207.44.194.56 fr.ca.search.msn.com 
>207.44.194.56 search.fr.msn.be 
>207.44.194.56 search.fr.msn.ch 
>207.44.194.56 search.latam.yupimsn.com 
>207.44.194.56 search.msn.at 
>207.44.194.56 search.msn.be 
>207.44.194.56 search.msn.ch 
>207.44.194.56 search.msn.co.in 
>207.44.194.56 search.msn.co.jp 
>207.44.194.56 search.msn.co.kr 
>207.44.194.56 search.msn.com.br 
>207.44.194.56 search.msn.com.hk 
>207.44.194.56 search.msn.com.my 
>207.44.194.56 search.msn.com.sg 
>207.44.194.56 search.msn.com.tw 
>207.44.194.56 search.msn.co.za 
>207.44.194.56 search.msn.de 
>207.44.194.56 search.msn.dk 
>207.44.194.56 search.msn.es 
>207.44.194.56 search.msn.fi 
>207.44.194.56 search.msn.fr 
>207.44.194.56 search.msn.it 
>207.44.194.56 search.msn.nl 
>207.44.194.56 search.msn.no 
>207.44.194.56 search.msn.se 
>207.44.194.56 search.ninemsn.com.au 
>207.44.194.56 search.t1msn.com.mx 
>207.44.194.56 search.xtramsn.co.nz 
>207.44.194.56 search.yupimsn.com 
>207.44.194.56 uk.search.msn.com 
>207.44.194.56 search.lycos.com 
>207.44.194.56 www.lycos.com 
>207.44.194.56 www.google.ca 
>207.44.194.56 google.ca 
>207.44.194.56 www.google.uk 
>207.44.194.56 www.google.co.uk 
>207.44.194.56 www.google.com.au 
>207.44.194.56 www.google.co.jp 
>207.44.194.56 www.google.jp 
>207.44.194.56 www.google.at 
>207.44.194.56 www.google.be 
>207.44.194.56 www.google.ch 
>207.44.194.56 www.google.de 
>207.44.194.56 www.google.se 
>207.44.194.56 www.google.dk 
>207.44.194.56 www.google.fi 
>207.44.194.56 www.google.fr 
>207.44.194.56 www.google.com.gr 
>207.44.194.56 www.google.com.hk 
>207.44.194.56 www.google.ie 
>207.44.194.56 www.google.co.il 
>207.44.194.56 www.google.it 
>207.44.194.56 www.google.co.kr 
>207.44.194.56 www.google.com.mx 
>207.44.194.56 www.google.nl 
>207.44.194.56 www.google.co.nz 
>207.44.194.56 www.google.pl 
>207.44.194.56 www.google.pt 
>207.44.194.56 www.google.com.ru 
>207.44.194.56 www.google.com.sg 
>207.44.194.56 www.google.co.th 
>207.44.194.56 www.google.com.tr 
>207.44.194.56 www.google.com.tw 
>207.44.194.56 go.google.com 
>207.44.194.56 google.at 
>207.44.194.56 google.be 
>207.44.194.56 google.de 
>207.44.194.56 google.dk 
>207.44.194.56 google.fi 
>207.44.194.56 google.fr 
>207.44.194.56 google.com.hk 
>207.44.194.56 google.ie 
>207.44.194.56 google.co.il 
>207.44.194.56 google.it 
>207.44.194.56 google.co.kr 
>207.44.194.56 google.com.mx 
>207.44.194.56 google.nl 
>207.44.194.56 google.co.nz 
>207.44.194.56 google.pl 
>207.44.194.56 google.com.ru 
>207.44.194.56 google.com.sg 
>207.44.194.56 www.hotbot.com 
>207.44.194.56 hotbot.com 
>
>sample headers 
>2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192  (DF)
>2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840  (DF)
>2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF)
>2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
>2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF)
>2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF)
>2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF)
>2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF)
>2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF)
>2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF)
>2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF)
>2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF)
>2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF)
>2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF)
>2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF)
>
>
>
>
>
>
>-----Original Message-----
>From: David Vincent [mailto:david.vincent at ...1925...]
>Sent: Wednesday, October 01, 2003 5:01 PM
>To: full-disclosure at ...1788...
>Subject: RE: [Full-Disclosure] Mystery DNS Changes
>
>
>it was said....
>
>------------------
>We have seen multiple instances where DHCP enabled workstations have had 
>their DNS reconfigured to point to two of the three addresses listed 
>below. Can anyone else confirm this? Incidents.org is reporting an 
>increase in port 53 traffic over the last two days. Are we looking at 
>the precursor to the next worm? 
>216.127.92.38 
>69.57.146.14 
>69.57.147.175 
>
>Are these entries coming in the DHCP packets or are they being 
>set *after* DHCP is complete?  Are compromised systems acting 
>like DHCP servers stuffing their own DNS entries into 
>specially crafted replies? 
>Can you post traffic dumps? 
>------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>  
>






More information about the Snort-sigs mailing list