Re: [despammed] Bogus DNS traffic

[whiplash <whiplash () despammed com>]

David Gillett wrote:
>   I'm seeing random UDP packets to port 53 of random
> internal IP addresses.  The source IP addresses are
> external, all over the map, although the one example
> I've gotten a good capture of bore the source MAC
> address of an internal server.  (Whatever is spoofing
> the IP address *could* be spoofing the MAC address, but
> that would still indicate an origin inside our network....)

As reported elsewhere (see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00168.html )
the origin of this malformed dns traffic could be a sort of trojan/worm
named kx.exe.
I just grabbed a copy of it following the procedure described in the
link reported above.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------