dns.exe virus?

Christopher_J_Wolff · September 8, 2003, 8:10pm

Greetings,

After tracking down what I believed was an attempted DOS attack, it
turns out that two Windows 2000 servers, fully updated, were spewing out
hundreds of port 53 requests. Upon further investigation dns.exe was
hogging 99% of the CPU.

I haven't found any reference to this at CERT so I thought I would drop
the occurrence into the nanog funnel to see what comes out. The attack
started around 8AM MST. Thank you for your consideration.

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com

Ken_Budd · September 8, 2003, 8:35pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DNS.exe is the executable for Microsoft DNS. This is either some
kind of bug or a function of active directory w/in Windows 2000.

regards,

Ken Budd
Data Systems Engineer
702 Communications
Moorhead, MN 56560
phone: 218.284.5702
Fax: 218.284.5746

- -----Original Message-----

Chris_Lewis1 · September 8, 2003, 8:52pm

Christopher J. Wolff wrote:

After tracking down what I believed was an attempted DOS attack, it
turns out that two Windows 2000 servers, fully updated, were spewing out
hundreds of port 53 requests. Upon further investigation dns.exe was
hogging 99% of the CPU.

I haven't found any reference to this at CERT so I thought I would drop
the occurrence into the nanog funnel to see what comes out. The attack
started around 8AM MST. Thank you for your consideration.

I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS.

Do you know what the requests were for?

Christopher_J_Wolff · September 8, 2003, 8:52pm

Chris,

It was really odd. Here is an example of what the two hosts .3 and .4
were up to.

10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 216.74.14.155:53 216.74.14.155:53
10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53
10.11.0.3:4554 166.90.208.166:53 166.90.208.166:53
10.11.0.4:1420 192.35.51.30:53 192.35.51.30:53
10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53
10.11.0.3:4554 64.24.79.2:53 64.24.79.2:53
10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53
10.11.0.3:4554 64.24.79.5:53 64.24.79.5:53
10.11.0.3:4554 192.48.79.30:53 192.48.79.30:53
10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53
10.11.0.3:4554 63.240.15.245:53 63.240.15.245:53
10.11.0.4:1420 192.36.148.17:53 192.36.148.17:53
10.11.0.4:1420 192.26.92.30:53 192.26.92.30:53
10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53
10.11.0.3:4554 192.31.80.30:53 192.31.80.30:53
10.11.0.3:4554 213.161.66.159:53 213.161.66.159:53
10.11.0.4:1420 65.102.83.43:53 65.102.83.43:53
10.11.0.3:4554 216.239.32.10:53 216.239.32.10:53
10.11.0.3:4554 24.221.129.4:53 24.221.129.4:53
10.11.0.3:4554 24.221.129.5:53 24.221.129.5:53
10.11.0.4:1420 192.5.6.30:53 192.5.6.30:53
10.11.0.3:4554 128.121.26.10:53 128.121.26.10:53
10.11.0.3:4554 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 65.102.83.43:53 65.102.83.43:53
10.11.0.4:1420 24.221.129.4:53 24.221.129.4:53
10.11.0.4:1420 24.221.129.5:53 24.221.129.5:53
10.11.0.3:4554 63.210.142.26:53 63.210.142.26:53
10.11.0.4:1420 192.41.162.30:53 192.41.162.30:53
10.11.0.4:1420 192.52.178.30:53 192.52.178.30:53
10.11.0.3:4554 192.5.6.30:53 192.5.6.30:53
10.11.0.3:4554 63.215.198.78:53 63.215.198.78:53
10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53
10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53
10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53
10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53
10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53
10.11.0.3:4554 63.240.144.98:53 63.240.144.98:53

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com

Stephen_J_Wilcox1 · September 8, 2003, 8:55pm

I have seen MS DNS go into some kind of resolving loop madness where for some
reason it continually tries lookups.. in the cases when I've seen it, it has
been a customer server which seemed to loop on some lame delegations - I noticed
it as the queries on the lames loaded our dns caches!

Steve

Chris_Lewis1 · September 8, 2003, 9:30pm

Christopher J. Wolff wrote:

Chris,

It was really odd. Here is an example of what the two hosts .3 and .4
were up to.

For grins, I ran that through our blacklist tool to see what it coughed up.

Nothing was on our blacklists.

Had rDNS's like *.google.com, *.akamai.com, sprintbbsd, ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.

DNS resolution loop perchance?

Richard_Cox · September 8, 2003, 10:10pm

{snipped}

The list of hosts they were accessing is ... well, interesting!

24.221.129.4 aztutmux01.az.sprintbbd.net
24.221.129.5 aztutmns01.az.sprintbbd.net
63.210.142.26 unknown.Level3.net
63.215.198.78 unknown.Level3.net
63.240.144.98 a63.240.144.98.deploy.akamaitechnologies.com
63.240.15.245 [CERFnet]
64.215.170.28 [Akamai Technologies/Dallas]
64.24.79.2 [StarNet]
64.24.79.3 [StarNet]
64.24.79.5 [StarNet]
65.102.83.43 ns2.granitecanyon.com
128.121.26.10 [Verio]
166.90.208.166 a166-90-208-166.deploy.akamaitechnologies.com
192.26.92.30 c.gtld-servers.net
192.31.80.30 d.gtld-servers.net
192.35.51.30 f.gtld-servers.net
192.36.148.17 i.root-servers.net
192.41.162.30 l.gtld-servers.net
192.43.172.30 i.gtld-servers.net
192.48.79.30 j.gtld-servers.net
192.5.6.30 a.gtld-servers.net
192.52.178.30 k.gtld-servers.net
192.55.83.30 m.gtld-servers.net
205.166.226.38 ns1.granitecanyon.com
213.161.66.159 213-161-66-159.akamai.com
216.239.32.10 ns1.google.com
216.239.38.10 ns4.google.com
216.74.14.155 [XO]

(Where no rDNS existed, the Netblock owner is shown in [])