This is a follow up to the previous post where we noted the emergence of a new 'conficker'-like threat. Thanks to research by our colleagues at Shadowserver it looks like the threat is actually more closely related to the Waledac/Storm worm malware rather than conficker, however that does not stop us from blocking it.

As it happens the IP address used by the worm to install more malware (91.204.48.50) has been in our database since November 16th, when it was added via the Malware Domains feed, however as of a few minutes ago we are also blocking the initial DNS lookup. By blocking this we stop the malware being dropped on unsuspecting victims who are conned into visiting one of the websites that has been infected with the dropper code.

As Shadowserver notes, infected websites will redirect the visitor to one of the following domains, all of which are using fast flux DNS to obfuscate access:

bethira.com bitagede.com cifici.com darlev.com elberer.com envoyee.com leolati.com makonicu.com nurealla.com scypap.com suedev.com teddamp.com

Most of these are resolved by the nameservers nsX.eplarine.com where X is the numbers 1-6 although bethira.com doesn't seem to be. However the nsX.bethira.com addresses resolve to some of the exact same fast flux hosts as the nsX.esplaine.com ones.

The TTLs of all A record lookups are always 0 - the classic sign of a fast flux botnet - and the same IP addresses may be returned for both "web servers" and "DNS servers". It thus seems like the fast flux bots all support both DNS and HTTP access.

Due to some work by the SIE and the University of Georgia using Passive DNS we have a list of most, if not all, the IP addresses that these requests resolve to and we have now added that list to our emergency feed. Currently this is a somewhat manual solution but in the near future (tomorrow hopefully) we will have scripted the process and both created a new "expert mode" feed and incorporated it into our Botnets feed.

Network administrators who run their own cacheing DNS server are strongly recommended to blackhole the domains listed above - and in particular the 6 esplaine.com nameservers. This applies no matter whether you are a ThreatSTOP subscriber or not as this will provide complimentary protection to that offered by the ThreatSTOP feed(s).

As noted in the previous post, identifying potentially infected machines will require you to look in the DNS logs to see what devices are asking the DNS server to resolve these addresses. However it must be noted that attempts to visit one of the IP addresses on this list is not necessarily a sign of infection as these addresses are also for the servers that drop the infections onto the visitor's computer.