Security Incidents mailing list archives
RE: Interesting DNS update traffic
From: "Sean Brown" <srbrown () appgeo com>
Date: Tue, 30 Mar 2004 10:03:11 -0500
Thanks for the helpful replies. The strange traffic continued intermittantly yesterday from 13:06 to 13:29 and then again from 19:13 through 20:36. My logs don't show the traffic during the previous week and I have not seen it yet today. I've written a snort rule to watch for it again. I do not think it is Calypso since the Calypso trojan sends malformed DNS query packets to a destination machine on port 53. What I'm seeing are malformed DNS responses from a source port 53 to destination 1026. I haven't seen a reference to this pattern before though I looked into it being the result of the Windows popup scam reported here: http://www.lurhq.com/popup_spam.html This could be a way to determine the presence of the windows popup vuln by sending a reply from a known and usually trusted source UDP port, 53. If your firewall is blocking UDP to 1026 but allowing DNS replies from port 53, you are vulnerable. Just a guess. Anyway, correlations would be nice if anyone has seen it. Cheers, Sean -----Original Message----- From: Bill McCarty [mailto:bmccarty () pt-net net] Sent: Monday, March 29, 2004 7:00 PM To: Sean Brown; incidents () securityfocus com Cc: srbrown () nyx net Subject: Re: Interesting DNS update traffic Hi Sean, --On Monday, March 29, 2004 4:56 PM -0500 Sean Brown <srbrown () appgeo com> wrote:
So, anyone seen anything like this before?
Superficially, your report seems to be consistent with traffic related to the Trojan known as Calypso. See, for example, <http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00154.html>. --------------------------------------------------- Bill McCarty --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Interesting DNS update traffic Sean Brown (Mar 29)
- Re: Interesting DNS update traffic Bill McCarty (Mar 30)
- Re: Interesting DNS update traffic Todd Hayton (Mar 30)
- <Possible follow-ups>
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)