[nsp-sec] Chatty DNS malware
Scott A. McIntyre
scott at howyagoin.net
Wed Jun 29 23:29:19 EDT 2011
Hi,
Anyone recognise these types of domains?
http://pastebin.com/MGnA6FTZ
I'm guessing it may be the recently highly-publicised TDL-4, but don't
have more to go on than the domain queries and some HTTP POST's to port
80 on those domains to the /news/ URL path.
For those unable to get to pastebin for nannyware reasons:
arinpvkdxzwrqi.biz
arinpvkdxzwrqi.com
arxyrfuqitmfnn.info
arxyrfuqitmfnn.org
avohwrkqkqktvns.biz
avohwrkqkqktvns.com
bexotcvkpoktsvqm.info
bexotcvkpoktsvqm.org
And so on.
I'm seeing about 600 unique domains per hour, with the domains rarely
repeated in queries/attempts to access after that time period. Most of
the domains are queried in at least two top-level-domains (such as the
ones above) but not all..
Just looking for confirmation on the malware if possible; having a tough
time getting a sample from infected systems so far.
cheers,
Scott A. McIntyre
Telstra
More information about the nsp-security
mailing list