[nsp-sec] FW: Storm worm changing DNS resolver settings onvictim system
Barry Greene (bgreene)
bgreene at cisco.com
Thu Mar 13 10:36:27 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> * John Kristoff:
>
> >> What would the next consequence be in the chain of consequences?
> >> Jump to a different port?
> >
> > Difficult to say. Would be hard for DNS to simply jump to another
> > port though.
>
> For Zlob, it's trivial, see <http://support.microsoft.com/kb/158474>,
> under "DnsServerPort". MacOS X supports "port" in
> /etc/resolv.conf, so it's equally straightforward. It's
> probably a good idea to do this right now because it makes
> cleaning up more difficult.
>
> So blocking DNS requests to non-ISP servers doesn't make that
> much sense, but I'm relatively sure it will become standard
> industry practice on consumer accounts. 8-/
If you redirect port 53 to your DNS infrastructure - the Miscreants
counter with changing the ports - you then have a signature to look for
in Netflow - watching for all DNS patterns which do not match port 53
exiting your network.
If you have a pattern and match, you then know which DNS servers the
miscreants have compromised (or proxy boxes). That give you a clean up
target.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBR9k767/UEA/xivvmEQIYcwCg8y/4I2J08+Fjpe9wtivPkENmTk4An14A
4j19p0YsSJm2rXJv2rD/GSNo
=UUs+
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list