Comments on: Finding Malware on your network via cached DNS entries

By: Ben Jackson

Ben Jackson — Thu, 01 Apr 2010 02:12:44 +0000

Interesting, I’ll have to ask my friend who uses Mac OS X if he had the same issue…

By: cc

cc — Thu, 01 Apr 2010 00:43:09 +0000

I don’t know perl much but i had to modify the “use” statement for the LWP module when using OSX:

#use LWP::Simple;
use LWP;

even LWP was installed, i kept on getting:

Can’t locate object method “new” via package “LWP::UserAgent” at ./zeusdnsscrape.pl line 66.

Nice tool!!

By: MarlboroGuy

MarlboroGuy — Tue, 30 Mar 2010 07:25:52 +0000

Thanks to you, I really get an interesting information.

I appreciate you.

By: Ben Jackson

Ben Jackson — Tue, 23 Mar 2010 22:57:13 +0000

@Chris: Agreed. I’m planning a script to do just that. It’s a kludge, but if you make a file with the domains/hostnames you want to check, each name on a separate line you can run:
zeusdnsscrape.pl --nodownload --file=/path/to/file
And get that functionality.

By: Chris

Chris — Tue, 23 Mar 2010 12:53:37 +0000

Looking this over, I can see how it could also be useful for incident response. If you know some suspicious domains, those could be added to your list of bad hosts and used as a sniper tool of sorts. The list of bad hosts could be as long or short as you want. This is something I am very interested in trying out.

By: Ben Jackson

Ben Jackson — Tue, 23 Mar 2010 01:56:24 +0000

Looks like I might need to run some more tests. I knew that TTL would be an issue, but with my initial runs I was seeing stuff around an hour or so.

Thanks for the link and the compliments. I’m glad people are finding it useful!

By: okamalo

okamalo — Mon, 22 Mar 2010 05:18:59 +0000

I have just tried the script in a small ISP, the short ttl is dominating the Zeus domains.
I guess this could be evolved into a larger project with more sources of malicious domains and ongoing check of the DNS cache.
Great idea with minimum overheads.

By: Ben Jackson

Ben Jackson — Mon, 22 Mar 2010 01:22:33 +0000

It would work, but, the lower the TTL value is, the higher chance of a false negative. You just need to run it while that TTL hasn’t expired yet. Ever since I’ve started playing with it. I’ve run it multiple times a day to see what happens.

So, no, not perfect, but it’s a step…

By: okamalo

okamalo — Sun, 21 Mar 2010 11:29:39 +0000

Interesting, but I guess this might miss malicious domains with low TTL values, specially if fast-flux is used. Did you check that?

By: Gerhard W. Recher

Gerhard W. Recher — Fri, 19 Mar 2010 19:08:41 +0000

Hi Ben,

currently aprox. 46021 rows will be returned…

you may limit this by appendig a &limit=0,1000 for the first 1000 items (syntax is like mysql sql syntax…)

but if you need qualified data for zeus tracking you may issue a narrowed query…

like: &url=%bin will bring you mostly zeuss related items…

– gerhard