Malicious-DNS
Kevin Darcy
kevin.darcy at fcagroup.com
Mon Feb 18 20:05:44 UTC 2019
Another approach is to define a "fake" vitaminc.pro domain, point it at an
internal webserver (assuming you have a spare, or can spin one up for the
purpose), and see what clients are hitting it.
Of course, that assumes the communication is web-based. If it's some other
protocol(s), you'd need to monitor that protocol, or those protocols, on
the "decoy" server. One would need to know more about the behavior of the
malware involved.
Speaking of which, Virustotal doesn't seem to think there's anything
suspicious about vitaminc.pro. Haven't checked my other sources of Threat
Intelligence, but usually there's *something* on VT if a domain is being
used as a C&C...
- Kevin
On Mon, Feb 18, 2019 at 9:24 AM Tony Finch <dot at dotat.at> wrote:
> MEjaz <mejaz at cyberia.net.sa> wrote:
> >
> > If I enabled the system performs will slow down?
>
> Depends on how much load your servers are under and what their capacity
> is.
>
> An alternative to query logs, when you are searching for a known query
> name, is to use tcpdump. It's a tedious and fiddly to convert the name to
> DNS wire format and then into a pcap filter expression, so I have a little
> script to do that (quoted below after my .sig). The command you want is
> like:
>
> tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] == 118 and
> udp[22] == 105 and udp[23] == 116 and udp[24] == 97 and udp[25] == 109 and
> udp[26] == 105 and udp[27] == 110 and udp[28] == 99 and udp[29] == 3 and
> udp[30] == 112 and udp[31] == 114 and udp[32] == 111 ')'
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Southeast Iceland: Northerly 6 to gale 8, veering northeasterly 5 to 7.
> Rough
> or very rough. Rain or wintry showers. Good, occasionally poor.
>
>
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> use Net::DNS::DomainName;
>
> die "usage: $0 <domain-name>\n"
> unless @ARGV == 1;
>
> my $text = shift;
> my $wire = new Net::DNS::DomainName($text)->canonical;
>
> my @wire = unpack 'C*', $wire;
>
> pop @wire unless $text =~ m{\.$};
>
> printf "'(' %s ')'\n",
> join ' and ',
> map { sprintf "udp[%d] == %d",
> 20 + $_, $wire[$_] }
> 0 .. $#wire;
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> die "usage: tcpdump-qname.pl <dns-label>\n"
> unless @ARGV == 1;
>
> my $name = shift;
>
> my @name = unpack 'C*', $name;
>
> printf "%s\n", join ', ', @name;
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190218/1d4ecd2d/attachment.html>
More information about the bind-users
mailing list