[61896] in North American Network Operators' Group
RE: dns.exe virus?
daemon@ATHENA.MIT.EDU (Christopher J. Wolff)
Mon Sep 8 19:11:12 2003
From: "Christopher J. Wolff" <chris@bblabs.com>
To: <bmanning@karoshi.com>,
"'Chris Lewis'" <clewis@nortelnetworks.com>
Cc: <nanog@merit.edu>
Date: Mon, 8 Sep 2003 16:10:36 -0700
In-Reply-To: <200309082136.h88Lala11482@karoshi.com>
Errors-To: owner-nanog-outgoing@merit.edu
FYI,
I put the suspect file up at http://www.bblabs.com/dns.exe
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
bmanning@karoshi.com
Sent: Monday, September 08, 2003 2:37 PM
To: Chris Lewis
Cc: nanog@merit.edu
Subject: Re: dns.exe virus?
> Christopher J. Wolff wrote:
>
> > Chris,
> >
> > It was really odd. Here is an example of what the two hosts .3 and
.4
> > were up to.
>
> For grins, I ran that through our blacklist tool to see what it
coughed up.
>
> Nothing was on our blacklists.
>
> Had rDNS's like *.google.com, *.akamai.com, sprintbbsd,
> ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.
>
> DNS resolution loop perchance?
From here, they all show up in the logs attemptin
dynamic updates of the in-addr.arpa domain. :)
Time to suck pkts... although I 'spect they are
trying to perform stupid DNS tricks like:
floss.local.in-addr.arpa. A 10.10.10.10
--bill
