Over the last couple of days we've seen an increasing number of outbound DNS queries to ip addresses on our block lists - principally to ones on the DShield 4000. Since the destination servers are frequently in China and the subscribers have little to do with China this looks unlikely to be genuine traffic. It is however somewhat suggestive of Conficker and other similar fastflux DNS malware which "call home" via a DNS lookup to some randomly generated subdomain of an otherwise apparently genuine domain. The DNS lookup resolves (usually) to a fastflux intermediary that communicates with the botmaster, The DNS server itself is generally not 'bad' per se but it will be under the control of the cyber crooks because they have to feed it the zone changes so frequently and this level of activity would raise a flag in any legitimate DNS hosting service.

By blocking these DNS lookups the malware is unable to call home and thus it is effectively neutralized. Unfortunately that does not always mean it is simple to identify the infected machine for remediation. In many cases the source IP address of the blocked lookup is the network's DNS server and thus it is necessary to analyze the DNS server logs for SERVFAIL entries and determine what IP address made the query that led to this.

However sometimes it turns out that the compromised machine makes the DNS lookup itself. In this case the malware will have modified the machines IP stack so that it queries the criminal's DNS by default. This, needless to say, is a wonderful way for the crooks to do man-in-the middle attacks to harvest login details.

ThreatSTOP's blocklists include the known criminal DNS servers and hence our subscribers are protected from accessing these machines, whether directly or indirectly via the subscriber's DNS server. Since the hosts are on the DShield list (and we will also add any that aren't to our emergency feed over the next few days) all subscribers - even ones using our free 'community' edition - will be protected.