Sinkhole Tool

Do you have old malware on your network?

You may have heard of botnets like DNS Changer or Conficker that have been taken down by law enforcement agencies in various countries. What you may not be aware is that millions of computers are still infected by these sorts of 'zombie' malware. DNS Changer, for example, has proven to be a very tough piece of malware to remove and many computers are still running it. Worse, the IP addresses that were used by DNS changer have been reassigned and some have been given to highly suspicious entities. If any computers on your network are still infected then they are probably ripe for exploitation by a new set of cyber-criminals.

In other cases (e.g. conficker) the malware is still inactive because the places the infected computers try to call home to are still in the hands of the good guys. But even in these cases that means they probably are not as up to date with their security software as you might think because most of these trojans disable antivirus and updates of antivirus, flash and so on. This means that they are at far greater risk of infection with new malware that exploits security holes that have already been fixed for most computers.

Frequently ISPs will detect that their customers are accessing known sinkholes for malware and send them an email to warn them. Unfortunately in most cases the IP address they report is the IP address of the firewall and it has dozens, perhaps hundreds of computers NATed behind it so figuring out which computer is actually infected is a nightmare. We're offering a free log parser to scan your firewall logs to detect the internal NATed addresses of infected computers. It's easy and completely free to use.

How to Use

Enable logging of all outbound DNS and HTTP packets (it may be easier to just log everything) on your firewall or IDS and store the data, either on the firewall itself or on a separate syslog server. Once you have a few hours worth of log data, upload it using the form below and see if we report any infected addresses. If you have devices infected with DNS Changer you'll see a report like this example, other malware will look similar.

The logfile must be uncompressed plain text and less than 1MB in size.

For more instructions, further details on what you might find, and what to do if you find it, read our Sinkhole FAQ.

The text must be uncompressed, plain and less than 10000000B in size.
The logfile must be uncompressed plain text and less than 10000000B in size.
Upload your log file. The file should be less than 10Mb.
Image CAPTCHA
Enter the characters shown in the image.