[nsp-sec] Chatty DNS malware

[Young, Beth A.]

While Kris was researching domains today, she found another pastebin page that looks to be related to this same group.

http://pastebin.com/K4HkCvjE

Beth (and Kris)
MOREnet Security

>>Hi,
>>
>>Anyone recognise these types of domains?
>>
>>http://pastebin.com/MGnA6FTZ
>>
>>I'm guessing it may be the recently highly-publicised TDL-4, but don't
>>have more to go on than the domain queries and some HTTP POST's to port
>>80 on those domains to the /news/ URL path.
>>
>>For those unable to get to pastebin for nannyware reasons:
>>
>>arinpvkdxzwrqi.biz
>>arinpvkdxzwrqi.com
>>arxyrfuqitmfnn.info
>>arxyrfuqitmfnn.org
>>avohwrkqkqktvns.biz
>>avohwrkqkqktvns.com
>>bexotcvkpoktsvqm.info
>>bexotcvkpoktsvqm.org
>>
>>And so on.
>>
>>I'm seeing about 600 unique domains per hour, with the domains rarely
>>repeated in queries/attempts to access after that time period.  Most of
>>the domains are queried in at least two top-level-domains (such as the
>>ones
>>above) but not all..
>>
>>Just looking for confirmation on the malware if possible; having a
>>tough time getting a sample from infected systems so far.
>>
>>cheers,
>>
>>Scott A. McIntyre
>>Telstra
>>
>>
>>
>>_______________________________________________
>>nsp-security mailing list
>>nsp-security at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/nsp-security
>>
>>Please do not Forward, CC, or BCC this E-mail outside of the
>>nsp-security community. Confidentiality is essential for effective
>>Internet security counter- measures.
>>_______________________________________________
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security counter-
>measures.
>_______________________________________________