Security Incidents mailing list archives

RE: Interesting DNS update traffic

From: "Sean Brown" <srbrown () appgeo com>
Date: Tue, 30 Mar 2004 10:03:11 -0500

Thanks for the helpful replies.  The strange traffic continued
intermittantly yesterday from 13:06 to 13:29 and then again from 19:13
through 20:36.  My logs don't show the traffic during the previous week
and I have not seen it yet today.  I've written a snort rule to watch
for it again.

I do not think it is Calypso since the Calypso trojan sends malformed
DNS query packets to a destination machine on port 53.  What I'm seeing
are malformed DNS responses from a source port 53 to destination 1026.
I haven't seen a reference to this pattern before though I looked into
it being the result of the Windows popup scam reported here:
http://www.lurhq.com/popup_spam.html

This could be a way to determine the presence of the windows popup vuln
by sending a reply from a known and usually trusted source UDP port, 53.
If your firewall is blocking UDP to 1026 but allowing DNS replies from
port 53, you are vulnerable.  Just a guess.

Anyway, correlations would be nice if anyone has seen it.

Cheers,
Sean

-----Original Message-----
From: Bill McCarty [mailto:bmccarty () pt-net net] 
Sent: Monday, March 29, 2004 7:00 PM
To: Sean Brown; incidents () securityfocus com
Cc: srbrown () nyx net
Subject: Re: Interesting DNS update traffic


Hi Sean,

--On Monday, March 29, 2004 4:56 PM -0500 Sean Brown
<srbrown () appgeo com> 
wrote:

So, anyone seen anything like this before?


Superficially, your report seems to be consistent with traffic related
to 
the Trojan known as Calypso. See, for example, 
<http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00154.html>.

---------------------------------------------------
Bill McCarty

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

Interesting DNS update traffic Sean Brown (Mar 29)
- Re: Interesting DNS update traffic Bill McCarty (Mar 30)
- Re: Interesting DNS update traffic Todd Hayton (Mar 30)
- <Possible follow-ups>
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)