My next class:

Detecting Queries to "odd" DNS Servers

Published: 2014-05-20. Last Updated: 2014-05-20 18:59:37 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Usually, your operating system will be assigned a DNS server either via DHCP (or RAs in IPv6) or statically. The resolver library on a typical workstation will then go forward and pass all DNS lookups to this set of DNS servers. However, malware sometimes tries to use its own DNS servers, and blocking outbound port 53 traffic (udp and tcp) can help identify these hosts.

Brent, one of our readers, does just that and keeps finding infected machines that way. Just now, he is investigating a system that attempted to connect to the following name servers:

101.226.4.6
114.114.114.114
114.114.115.115
123.125.81.6
140.207.198.6
202.97.224.69
211.98.2.4
218.30.118.6
14.33.133.189

He has not identified the malware behind this yet, but no other system he is using ("we are running bluecoat web filter AND we're using OpenDNS AND I'm running snort"). Brent uses oak (http://ktools.org/oak/) to help him watch his logs and alert him of issues like this.

According to the Farsight Security passive DNS database, these IPs resolve to a number of "interesting" hostnames. I am just showing a few here (the full list is too long)

ns-facebook-[number]-[number].irl-dns.info   <- the [number] part appears to be a random number
*.v9dns.com    <- '*' to indicate various host names in this domain.
v2.3322pay.com
bjcgsm.com
sf5100.com
 


------------------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

Keywords: dns
5 comment(s)
My next class:

Comments

Eight out of nine of those IP addresses are in the PRC. Using any of them as DNS servers (whether or not they are actual DNS servers, and no matter where the DNS client is in the world) will invoke poisoned responses from the GFW cache poisoning machine for some very popular sites such as YouTube, Facebook, Twitter, etc. So likely no user invoking that traffic from an infected box. Try it yourself. What IP address do you get for facebook when using one of those DNS servers?

C:\Users\me>nslookup
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> server 101.226.4.6
Default Server: [101.226.4.6]
Address: 101.226.4.6

> facebook.com
Server: [101.226.4.6]
Address: 101.226.4.6

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: facebook.com
Addresses: 59.24.3.173
59.24.3.173
All these IPs are registered in China. May be, there are just some users with its own DNS for bypassing the chinese internet restrictions?
It may be worth doing a packet capture to confirm whether the traffic on port 53 is actually legitimate DNS traffic, or perhaps a botnet C&C channel just trying to use port 53 to avoid proxies that might filter 80/443 traffic.
[quote=comment#30935]It may be worth doing a packet capture to confirm whether the traffic on port 53 is actually legitimate DNS traffic, or perhaps a botnet C&C channel just trying to use port 53 to avoid proxies that might filter 80/443 traffic.[/quote]

Yup! When I first set up the log-watching rules, I didn't have any snort sensors or any span ports yet. But one of these days real soon now, I'll turn this into a custom snort rule so I can see full packet payloads...
Most of the concern about DNS is some form of redirection abuse or server compromise. But another interesting use of DNS is to send encoded messages. Assuming you have control of the DNS server, you can receive these encoded messages as simple DNS queries. By encoding the message in the hostname of your domain name, you can send yourself covert messages - spp-nboz-tfdsfut.example.net (ROT1). Setting the server to log all queries permits you to receive and store the contents of messages sent from any Internet connected host.

Diary Archives