[dns-operations] MX record scanning
Jake Zack
jake.zack at cira.ca
Mon May 16 15:26:39 UTC 2011
The "spambot killer" doesn't appear to be randomly generating domains
in real-time, or if it does, it appears to be doing a fairly lousy job
at randomness.
But if this was static content sitting on a webpage somewhere,
shouldn't I be able to find it via Google (isn't that how the botnet
runner would've found it?).
Take these domains, for instance:
8zyhiupjnkt.ca x12 queries by 8 separate IP's.
fviqfdut7o.ca x12 queries by 3 separate IP's.
q1x83faa55lv.ca x12 queries by 2 separate IP's.
e9b6iykd1yn.ca x12 queries by 2 separate IP's.
The IP address "41.191.111.18" was involved in each of the above, no
other commonality.
kx0xgtlu.ca x12 queries by 5 separate IP's.
e3j3kcv2p46.ca x12 queries by 3 separate IP's.
k1bfv00ygbp0.ca x12 queries by 2 separate IP's.
The IP address "2.133.215.113" was involved in each of the above, no
other commonality.
aqwuf-guohu.ca x12 queries by 7 separate IP's.
wmt0isw5pv2z.ca x12 queries by 5 separate IP's.
kauoc97tivd.ca x12 queries by 5 separate IP's.
The IP address "213.142.200.131" was involved in each of the above, no
other commonality.
And if it's so bad at generating randomness, why is the above so
inconsistent? How can 4 different IP's query the same random junk in
one case, but not in future cases?
Should we consider creating a task force along the lines of the
Conficker Working Group to try to figure this all out?
-Jacob Zack
DNS Administrator - CIRA (.CA TLD)
More information about the dns-operations
mailing list