[nsp-sec] FW: Storm worm changing DNS resolver settings on victim system
Rob Thomas
robt at cymru.com
Wed Mar 12 13:37:06 EDT 2008
Hi, Lawrence.
> Name: ns2.iprevolution.co.jp
> Address: 61.115.192.18
Yeah, looks like that one arrived at least as early as 2008-03-07
03:18:57 UTC.
timestamp | sha1
| md5 | dst_ip | dst_port |
protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ----------
---------- ------
2008-03-07 03:18:57 | d5f8625d6db74ca88c92a8c7062c6be6bab54aa6 |
a803ceaf84ad988783fc9d7440437350 | 61.115.192.18 | 53 |
6 | 514
Ah, I see references to it as far back as 2008-03-05 02:08:01 UTC.
It has a very unique icon of a dove in a blue circle. Looks like the
original name of the sample we recovered was fg67p3a1.exe, not that
this is useful. Perhaps it's doing some testing of the DNS switch,
but it queries for the following DNS RRs:
time.windows.com
docs.google.com
It's made some queries for the botnet DNS RR billing.p3n0r.com though
probably on behalf of compromised systems (being open to recursion
and all).
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
More information about the nsp-security
mailing list