[dns-operations] MX record scanning

Rickard Dahlstrand rickard.dahlstrand at iis.se
Thu May 12 07:17:56 UTC 2011


We have also been tracking this for a while and made a simple SQL-query that you can use with our new tool PacketQ to quickly get a list of all IPs used by this botnet from a PCAP-file. Like Igor and some of you noticed, the client doesn't set the transaction ID to a value greater than 256 and this allows us to make the following simple query.

# packetq --csv -s "select stdev(msg_id) as STDAV,src_addr,qname,count(*) as Antal from dns group by src_addr having Antal>100 and STDAV<100 order by src_addr desc " peak/07/G.ns.se-20110408-071500-em1.pcap.gz  | less

"STDAV"  ,"src_addr"       ,"qname"                  ,"Antal"
74.629547,""  ,"aupuj.se."              ,1669
73.147445,""    ,"xtade.se."              ,333
71.684573,""   ,"emxoh-sebmm.se."        ,336
72.573712,""   ,"rienm-pmok.se."         ,947
75.940259,""   ,"sicon.se."              ,185
73.950355,""    ,"csehm.se."              ,4280
75.612308,""   ,"ce.luth.se."            ,1573
74.628871,""   ,"osdmm.se."              ,3429
73.082288,""   ,"vmmre2003.se."          ,512
73.826874,""   ,"ismag.se."              ,4940
74.313821,""  ,"qcveb.se."              ,357
73.659671,"" ,"0md7sma795xj.se."       ,2964
72.658138,""  ,"topesa.se."             ,516
73.737935,""    ,"pessa.se."              ,628
72.062089,""  ,"avoye.se."              ,416
73.018824,""  ,"sunma.se."              ,1831
73.814160,""    ,"tkobrlhcjq.se."         ,4496
74.263140,""   ,"hesmu2003.se."          ,4813

PacketQ can be downloaded from https://github.com/dotse/PacketQ and we have a mailing-list set up at http://lists.iis.se/mailman/listinfo/packetq for any PacketQ-related questions.


11 maj 2011 kl. 21.53 skrev José A. Domínguez:

> On 05/11/2011 12:27 PM, Gilles Massen wrote:
>> Why has there to be an entity "in charge"? From an operational point of
>> view the CERT to whom you are affiliated would seem the right choice. It
>> might not have the resources to handle it, but should have the contacts to
>> forward it to a useful place (cf. the email from Tim, Team Cymru). From an
>> idealistic point I'd rather have law enforcement track down the
>> spammers....that is the *only* effective manner.
>> But the point I'm trying to make is that this is not a specific DNS
>> problem: DNS is one little helper in the chain. At the end of the day, the
>> bot is sending a spam email and will get caught by a spamtrap. Like the
>> others that are not working on a poisoned list.
> I agree with your statements right now. Once thing that we should try to
> get is forensics in some of the machines doing this query so we can figure
> out which botnet (or botnets) we are dealing with and whether it is just
> new service on top of some well-know botnets.
> José.
> <signature.asc>_______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list