[nsp-sec] FW: Storm worm changing DNS resolver settings on victim system

Lawrence Baldwin baldwinl at mynetwatchman.com
Wed Mar 12 12:27:02 EDT 2008 

FYI:

This may not be particularlly new, but Philip was analyzing a Storm binary
we received on Feb 12th:

SHA1:042038D4315DDBBBA5874BF0298430601B61990B

It changes the victim's DNS resolver settings from DHCP determined to a
hard-coded IP which appears to be just one of the gazillions of open
recursive DNS servers on the net, for example:

Name:    ns2.iprevolution.co.jp
Address:  61.115.192.18

Note: We've seen many different .jp DNS servers used by storm.

We presume this is NOT to hijack and/or play games with DNS responses (e.g.
ala ImHoster/Intercage), but rather to bypass any malware detection and
botnet command/control DNS blackholing the victim's service provide might be
doing.  For example, an ISP could monitor their DNS resolvers for high rates
of MX record lookups and use that to detect spam trojans (such as Storm).
Additionally a provider could return NXDOMAIN in response to dns queries by
infected sytems for known C&C domain names.

This is yet another reason why open recursive DNS servers are wholely
irresponsible.

Given the prevalence of Storm I'm guessing this is going to manifest itself
to a lot of customer care calls as the open recurisive servers set by Storm
get locked down (or not).

Regards,

Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924


-----Original Message-----
From: Philip Sloss [mailto:psloss at mynetwatchman.com]
Sent: Wednesday, March 12, 2008 11:40
To: Lawrence Baldwin
Subject: Storm worm changing DNS

I'm probably behind the curve on this, but hadn't seen it.  The sample that
is running here -- hash ID = 1273549 -- is changing the Windows DNS
settings; it was set to be configured as a DHCP option, but now the primary
DNS is set to IP address = 61.115.192.18

For reference I just resubmitted; submissionID = 66331.

Going back to my logs from about three weeks ago, I see that the infected
desktop was making all its DNS MX lookups.  The timeframe was 19 Feb 2008 at
about 8 am local (GMT-5 at the time); that IP address was 194.6.128.4.

Feel free to ping Brian on this, as I know he's been documenting
Storm...wouldn't be surprised if he already knows about this...

Philip

More information about the nsp-security mailing list