[nsp-sec] Chatty DNS malware

Young, Beth A. youngba at more.net
Thu Jun 30 11:45:59 EDT 2011 

I am not as good as Team Cymru in intelligence gathering but MOREnet has been running a blackhole DNS server for over a year.  Here is what data we have from our BHDNS research:

The majority of these do not resolve or have WHOIS records. The three that do are domains that were added to BHDNS today from NameSecure... Which means they were newly registered yesterday. 

okstpgpkxoyjmuym.org
nrsioyxmymfahpl.com
kovkifvxbepnnopy.info

Name Server:DNS1.NAMESECURE.COM
Name Server:DNS2.NAMESECURE.COM

Domains/malware from Namesecure.com all have had extremely low detection rates, but the ones that have been detected have been Zeus domains and they will occasionally show up on Zeus Tracker.  I have a spreadsheet with Namesecure.com data if people are interested in the other domains that have been registered there.  Email me and I will send the spreadsheet.

Beth


Beth Young, CISSP
MOREnet Security
1-800-509-6673
http://www.more.net/security





>-----Original Message-----
>From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
>Sent: Wednesday, June 29, 2011 10:29 PM
>To: nsp-security at puck.nether.net
>Subject: [nsp-sec] Chatty DNS malware
>
>----------- nsp-security Confidential --------
>
>Hi,
>
>Anyone recognise these types of domains?
>
>http://pastebin.com/MGnA6FTZ
>
>I'm guessing it may be the recently highly-publicised TDL-4, but don't have
>more to go on than the domain queries and some HTTP POST's to port
>80 on those domains to the /news/ URL path.
>
>For those unable to get to pastebin for nannyware reasons:
>
>arinpvkdxzwrqi.biz
>arinpvkdxzwrqi.com
>arxyrfuqitmfnn.info
>arxyrfuqitmfnn.org
>avohwrkqkqktvns.biz
>avohwrkqkqktvns.com
>bexotcvkpoktsvqm.info
>bexotcvkpoktsvqm.org
>
>And so on.
>
>I'm seeing about 600 unique domains per hour, with the domains rarely
>repeated in queries/attempts to access after that time period.  Most of the
>domains are queried in at least two top-level-domains (such as the ones
>above) but not all..
>
>Just looking for confirmation on the malware if possible; having a tough time
>getting a sample from infected systems so far.
>
>cheers,
>
>Scott A. McIntyre
>Telstra
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security counter-
>measures.
>_______________________________________________

More information about the nsp-security mailing list