[dns-operations] Lots of queries for TXT records?

Rob Thomas robt at cymru.com
Wed Apr 8 18:51:18 UTC 2009 

Hi, team.

Some additional insight, shared on another list in response to a similar
note about deepholeforyou.info.

Note that the IP to which both deepholeforyou.info and fworld.net
resolve, 72.249.47.91, has hosted badness in the past.  This may not be
related, of course.

AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
30496   | 72.249.47.91     | 72.249.0.0/18       | US | arin     |
2006-08-25 | COLO4 - Colo4Dallas LP

2009-02-28 23:14:57 UTC  72.249.47.91  TCP 80  httpbot  www.grci.info
[ ... ]
2009-03-14 23:09:03 UTC  72.249.47.91  TCP 80  httpbot  www.grci.info

And:

      timestamp      |      ip      |  asn  | category |
       comment
--------------------- -------------- ------- ----------
-----------------------------------------------------
 2009-01-06 10:31:09 | 72.249.47.91 | 30496 | botnetcc | category:
botweb url: http://reg1.info/log.php
 2009-01-09 19:41:47 | 72.249.47.91 | 30496 | botnetcc | category:
botweb url: http://www.grci.info/bsrv.php
 2009-01-09 19:41:47 | 72.249.47.91 | 30496 | botnetcc | category:
botweb url: http://grci.info/dat7.php
 2009-01-13 21:50:16 | 72.249.47.91 | 30496 | botnetcc | category:
botweb url: http://grci.info/dat7.php
 2009-01-13 21:50:16 | 72.249.47.91 | 30496 | botnetcc | category:
botweb url: http://www.grci.info/bsrv.php

Other DNS RRs include:

      timestamp      |      dns_name       |      ip
--------------------- --------------------- --------------
 2009-04-03 05:45:07 | bradys.info         | 72.249.47.91
 2009-04-03 04:54:48 | deepholeforyou.info | 72.249.47.91
 2009-04-03 04:53:15 | fworld.net          | 72.249.47.91
 2009-04-02 23:58:18 | pernas.info         | 72.249.47.91
 2009-04-03 01:53:19 | www.cheapnames.com  | 72.249.47.91
 2009-03-01 23:25:07 | mail.fworld.net       | 72.249.47.91
 2009-03-20 02:10:06 | miranda.lapierre.info | 72.249.47.91

We see six samples in our malware menagerie that point to 72.249.47.91:

      timestamp      |                   sha1                   |
        md5                |    dst_ip    | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
 2009-01-09 19:41:47 | 078427dc825049b36d2cbc4016f94f2e55ef271c |
06d5da22f8e834d2e19c9b086a6763a8 | 72.249.47.91 |       80 |        6 | 1429
 2009-01-13 21:50:16 | 338c029aae44bfe62a9e34433149bc13901f77da |
82a365b7a90b47d9cf0f2c9cd63c3ad1 | 72.249.47.91 |       80 |        6 | 2501
 2009-03-21 21:53:13 | abbe33d3a622c7130917d08da3aa14054016cf51 |
88c64f7b421b0acbf5ebe47ba72cd62a | 72.249.47.91 |       80 |        6 |
 2009-01-05 10:31:21 | c0bc9bbb3204c3b11dea60ad7f98e5841f19d46a |
4159a4106863fa1021174390f6170885 | 72.249.47.91 |       80 |        6 |
 2009-03-26 02:53:03 | c63f166e2a1eddd2564137a28341f1bc4f29c362 |
33969def5348fe43a9d6bf25f770d031 | 72.249.47.91 |       80 |        6 |
 2009-03-31 22:52:24 | fb75ee11ded9cedf0eb96f106d8c4a5ba5748e69 |
3cd9db318c9ce70995950e4d21ea59a9 | 72.249.47.91 |       80 |        6 |

The web server type string is "NOYB," which I presume stands for "None
Of Your Business."  :)

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the dns-operations mailing list