RE: Bogus DNS traffic

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 10/22/03

  • Next message: Robert Lowe: "Re: Bogus DNS traffic" 
    To: "'Mike Anderson'" <secure@spoofedpackets.net>, <incidents@securityfocus.com>
Date: Wed, 22 Oct 2003 14:50:24 -0700

      I don't think this is it. If infected clients were getting repointed
    to unpopulated addresses on my network, I should be seeing a fair bit
    of activity from each infected client to the specific addresses set
    by the trojan.
      That's not what I'm seeing. I'm seeing a very small amount of traffic
    from randomly scattered hosts to randomly scattered addresses.

    David Gillett

    > -----Original Message-----
    > From: Mike Anderson [mailto:secure@spoofedpackets.net]
    > Sent: October 22, 2003 13:34
    > To: gillettdavid@fhda.edu; incidents@securityfocus.com
    > Subject: RE: Bogus DNS traffic
    >
    >
    > Dave,
    >
    > You might be seeing an increase in DNS traffic as results from
    > this trojan.
    >
    > QHosts Trojan Horse
    > added October 2
    > The CERT/CC has received reports of a new Trojan Horse
    > program affecting
    > Microsoft Windows systems. The QHosts or Qhosts-1 Trojan
    > Horse has been
    > reported to alter domain name service (DNS) settings on
    > Windows systems
    > and redirect users from legitimate web sites to those specified by the
    > Trojan Horse program. The CERT/CC is tracking this activity as
    > CERT#27882 and is interested in receiving reports thereof. Relevant
    > artifacts or activity can be sent to cert@cert.org with
    > "CERT#27882" in
    > the subject line.
    >
    > The CERT/CC strongly encourages users to install anti-virus software,
    > and keep its virus signature files up-to-date.
    >
    >
    > I got this from cert's website. You might want to check that out.
    >
    > Mike Anderson
    > Systems Engineer
    >
    > -----Original Message-----
    > From: David Gillett [mailto:gillettdavid@fhda.edu]
    > Sent: Wednesday, October 22, 2003 3:39 PM
    > To: incidents@securityfocus.com
    > Subject: Bogus DNS traffic
    >
    >
    > I'm seeing random UDP packets to port 53 of random
    > internal IP addresses. The source IP addresses are
    > external, all over the map, although the one example
    > I've gotten a good capture of bore the source MAC
    > address of an internal server. (Whatever is spoofing
    > the IP address *could* be spoofing the MAC address, but
    > that would still indicate an origin inside our network....)
    >
    > Does anyone recognize this?
    >
    > David Gillett
    >
    >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > FREE Whitepaper: Better Management for Network Security
    >
    > Looking for a better way to manage your IP security?
    > Learn how Solsoft can help you:
    > - Ensure robust IP security through policy-based management
    > - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    > networks
    > - Quickly respond to network events from a central console
    >
    > Download our FREE whitepaper at:
    > http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
    > --------------------------------------------------------------
    > ----------
    > ----
    >

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
    ----------------------------------------------------------------------------

  • Next message: Robert Lowe: "Re: Bogus DNS traffic"

    Relevant Pages
    • Quantcast