[Bro] DNS alert for CryptoLocker?

Tyler T. Schoenke tyler.schoenke at colorado.edu
Wed Nov 6 07:19:54 PST 2013


So I don't have to reinvent the wheel, does anyone have a script to alert when a bunch of DNS  nxdomain response codes are returned?  We had a CryptoLocker infected system.  Here is a snippet of the DNS queries it was performing.  I assume the script will be fairly trivial to write with the new metrics framework.

1382548938.833528       GMCxsRbK0Ai     128.x.y.z 58872   128.a.b.c   53      udp     11849   ndqycnknvoouv.net       1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548944.705308       gNc8acns5pe     128.x.y.z 57136   128.a.b.c   53      udp     29248   hcanlyoattqnk.info      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548947.922531       2wQ3L1SjO2i     128.x.y.z 55438   128.a.b.c   53      udp     37701   pggqvjlpjuvfj.biz       1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548950.164884       K6SBCLsCeHd     128.x.y.z 62257   128.a.b.c   53      udp     27109   rkvrpstomducl.org       1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382548952.804004       A3cpzxeprDd     128.x.y.z 62188   128.a.b.c   53      udp     19436   xdlmipcfinsnx.info      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548953.848624       oFpUoyQaeT6     128.x.y.z 58160   128.a.b.c   53      udp     64315   yskkfkmsvjyjh.com       1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548956.153981       42MqOejLeC7     128.x.y.z 61254   128.a.b.c   53      udp     25859   bwalyturyrxgh.biz       1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548960.964978       iwlngihsWR2     128.x.y.z 59060   128.a.b.c   53      udp     49446   wfffkyemceall.info      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548965.228544       BSHfNWkQmN2     128.x.y.z 50542   128.a.b.c   53      udp     64599   gxfbvapxgjhhwir.ru      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382548966.392850       AL4jDt0K4Bl     128.x.y.z 65068   128.a.b.c   53      udp     60778   pbxksllrmivxhjc.org     1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382548998.923970       hvrkgMU1nj9     128.x.y.z 64366   128.a.b.c   53      udp     58017   -       -       -       -       -       0       NOERROR F       F       F       T       0       212.71.250.4,212.71.250.4       0.000000,0.000000       F
1382549001.210921       F0wHtNhVKQj     128.x.y.z 53692   128.a.b.c   53      udp     18268   eijwmsocubkbifr.com     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549004.587866       dupMP8ecnh9     128.x.y.z 65102   128.a.b.c   53      udp     55272   -       -       -       -       -       3       NXDOMAIN        F       F       F       F       0       -       -       F
1382549005.590564       8hHrrWK3ySg     128.x.y.z 53233   128.a.b.c   53      udp     49644   csnrwkgpneybfdw.org     1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549008.355729       2zHHnrpDv94     128.x.y.z 49268   128.a.b.c   53      udp     48578   yxhlnnrvnxwhvjb.info    1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549009.401946       XGYKkM7TJHb     128.x.y.z 58084   128.a.b.c   53      udp     21374   ypqijlryiuibvra.com     1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549011.483780       jPbHypWQKyh     128.x.y.z 56556   128.a.b.c   53      udp     38615   gfidmpcvtbjipor.biz     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549014.515443       ndy7OcvfED      128.x.y.z 49785   128.a.b.c   53      udp     11355   -       -       -       -       -       3       NXDOMAIN        F       F       F       F       0       -       -       F
1382549015.564495       qkrQfYjmd8g     128.x.y.z 64433   128.a.b.c   53      udp     45      -       -       -       -       -       0       NOERROR F       F       F       T       0       212.71.250.4,212.71.250.4       0.000000,0.000000       F
1382549017.104583       bQbmeVq6PSl     128.x.y.z 60956   128.a.b.c   53      udp     21595   epmydibaismctwn.info    1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549020.276359       ZyCXQrFDUie     128.x.y.z 58936   128.a.b.c   53      udp     45237   taxkcsutphxwues.biz     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549021.295831       DDxa09moudg     128.x.y.z 51396   128.a.b.c   53      udp     14981   ooqydautbpucsxk.ru      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549024.077917       utOUlYH43La     128.x.y.z 61588   128.a.b.c   53      udp     33615   -       -       -       -       -       0       NOERROR F       F       F       T       0       212.71.250.4    0.000000        F
1382549026.376626       7NYXLG3zOJ4     128.x.y.z 52200   128.a.b.c   53      udp     30833   myuutstxphxvlmn.com     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549028.599961       MBxVPKOcOl3     128.x.y.z 58592   128.a.b.c   53      udp     49290   ohfvyihiguvwuxp.biz     1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549031.847178       vD02D08eII4     128.x.y.z 61924   128.a.b.c   53      udp     23377   shocdnhyfmdfsoj.co.uk   1       C_INTERNET      1       A       -       -       F       F       T       F       0       -       -       F
1382549034.478314       n3WCj7AlLU2     128.x.y.z 60108   128.a.b.c   53      udp     33753   tmyedwcqvvykcjj.com     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549036.575201       caR4StggyDa     128.x.y.z 52132   128.a.b.c   53      udp     4039    oxsaegepxdvieuh.biz     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549037.595521       OgiZzasfva3     128.x.y.z 52622   128.a.b.c   53      udp     49144   cbcrkxjuurixfpe.ru      1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549038.784184       fbHvNBwyQr6     128.x.y.z 65484   128.a.b.c   53      udp     51376   pddcepyhomrngqq.org     1       C_INTERNET      1       A       3       NXDOMAIN        F       F       T       F       0       -       -       F
1382549039.995781       MdZxaa06IYh     128.x.y.z 56073   128.a.b.c   53      udp     1505    novnagkvsgbfbvv.co.uk   1       C_INTERNET      1       A       0       NOERROR F       F       T       T       0       212.71.250.4,212.71.250.4       0.000000,0.00000


Thanks,

Tyler


--
--
Tyler Schoenke
Network Security Program Manager
IT Security Office
University of Colorado at Boulder

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/1269e87b/attachment.html 


More information about the Bro mailing list