[Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes

Paul Tinsley pdt at ...1716...
Fri Oct 3 16:04:04 EDT 2003


Someone brought to my attention that I neglected udp (thank you Adam), 
sorry about that I was in a hurry when I posted this, there is another 
just like the tcp one that says udp :)  Both are being triggered by the 
clients affected as one would expect, so for full coverage, do both.

Paul Tinsley wrote:

> Don't know if this will help anybody else but I have added this to all 
> my sensors that see internal traffic headed for firewalls:
>
> var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]
> alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic"; 
> sid:900027; rev:1;)
>
> This along with a rule in my alerting software that alerts once per 
> hour per machine that is triggering this alert seems to be working 
> pretty well.
>
> Harris, Michael C. wrote:
>
>> I have laid hands on a machine hit with the Qhosts-1 Trojan
>> It drops a replacement hosts file in the $system%\help\ directory
>> and also makes the registry changes described in the NAI posting
>> http://vil.nai.com/vil/content/v_100719.htm
>>
>> DNS detail, hosts file details, captured headers all follow below the 
>> signature block sorry for the length of message and no I don't have a 
>> full capture
>>
>> Mike -------------------------------------------------------------------
>> Michael C Harris
>> System Security Analyst - GSEC
>> University of Missouri Health Center
>> harrismc at ...1375...  KC0PAH
>> -------------------------------------------------------------------
>>
>> DNS changed to 69.57.146.14 69.57.147.175 
>> hosts file included the following entries
>>
>> 88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 
>> www.google.com 207.44.194.56 google.com 207.44.194.56 
>> www.altavista.com 207.44.194.56 altavista.com 207.44.194.56 
>> search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56 
>> ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56 
>> au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56 
>> search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56 
>> www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp 
>> 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56 
>> ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com 
>> 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com 
>> 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com 
>> 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com 
>> 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch 
>> 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at 
>> 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56 
>> search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56 
>> search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56 
>> search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56 
>> search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56 
>> search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56 
>> search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi 
>> 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56 
>> search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se 
>> 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx 
>> 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com 
>> 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com 
>> 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56 
>> google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk 
>> 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp 
>> 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56 
>> www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de 
>> 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56 
>> www.google.fi 207.44.194.56 www.google.fr 207.44.194.56 
>> www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56 
>> www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56 
>> www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56 
>> www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56 
>> www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56 
>> www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56 
>> www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56 
>> www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56 
>> go.google.com 207.44.194.56 google.at 207.44.194.56 google.be 
>> 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56 
>> google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk 
>> 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56 
>> google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx 
>> 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56 
>> google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg 
>> 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com
>> sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 
>> 207.44.220.30.http: S 22870760:22870760(0) win 8192  (DF)
>> 2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: 
>> S 1904832103:1904832103(0) ack 22870761 win 5840  (DF)
>> 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904832104 win 8760 (DF)
>> 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
>> 2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904835024 win 8760 (DF)
>> 2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: 
>> P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> P 22871132:22871449(317) ack 1904836392 win 7392 (DF)
>> 2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904839312 win 8760 (DF)
>> 2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: 
>> P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904842232 win 8760 (DF)
>> 2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904845152 win 8760 (DF)
>> 2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: 
>> P 1904845152:1904845237(85) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904845237 win 8675 (DF)
>> 2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> P 22871449:22871911(462) ack 1904845237 win 8675 (DF)
>> 2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: 
>> . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904848157 win 8760 (DF)
>> 2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: 
>> P 1904848157:1904848507(350) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904848507 win 8410 (DF)
>> 2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: 
>> F 1904848507:1904848507(0) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> . ack 1904848508 win 8410 (DF)
>> 2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: 
>> R 22871911:22871911(0) win 0 (DF)
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: David Vincent [mailto:david.vincent at ...1925...]
>> Sent: Wednesday, October 01, 2003 5:01 PM
>> To: full-disclosure at ...1788...
>> Subject: RE: [Full-Disclosure] Mystery DNS Changes
>>
>>
>> it was said....
>>
>> ------------------
>> We have seen multiple instances where DHCP enabled workstations have 
>> had their DNS reconfigured to point to two of the three addresses 
>> listed below. Can anyone else confirm this? Incidents.org is 
>> reporting an increase in port 53 traffic over the last two days. Are 
>> we looking at the precursor to the next worm? 216.127.92.38 
>> 69.57.146.14 69.57.147.175
>> Are these entries coming in the DHCP packets or are they being set 
>> *after* DHCP is complete?  Are compromised systems acting like DHCP 
>> servers stuffing their own DNS entries into specially crafted 
>> replies? Can you post traffic dumps? ------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>  
>>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




More information about the Snort-sigs mailing list