Storm warning

[AKcurly]

If you'll go to the network storm warning center, one of the things you can monitor is dns requests per time unit.  For some time, the average has been around 500,000 requests per time unit.

Look at http://isc.incidents.org/port_details.html?port=53

There's been a sawtooth pattern for several weeks now with a peak of 2,500,000 requests/time unit.

Furthermore, there appears to be a data burst (?) recently.

Look at this page:
http://www.lurhq.com/sinit.html

Evidently, there's a new trojan out in the wild and it's a true trojan.  Your computer becomes infected only by your request.  Due to several security lapses in IE, evidently thousands of computers running an unknown variant of a microsoft operating system are now infected and are setting out there percolating god knows what brew for all of us.

Due to the way the sinit trojan works, it doesn't have to report back to a ftp server like sobig [read the above link for details.]

I suspect we (the internet users of the world) are about to receive a xmas present.  Can you say "the entire network shut down?"  Heh, that may be an exaggeration, but I suspect they (whoever controls sinit) can do whatever they want.  They're going to own the network.

curly

[Tuomio]

Computers without good firewalls should be banned.

[AKcurly]

Originally posted by Tuomio
Computers without good firewalls should be banned.

Well, firewalls wouldn't help in this case: 1) the infection probably resulted from pulling a webpage and executing valid j/script and 2) the trojan network communicates via port 53 -- the DNS port.  You can't block it.

curly

[Tuomio]

Originally posted by AKcurly
Well, firewalls wouldn't help in this case: 1) the infection probably resulted from pulling a webpage and executing valid j/script and 2) the trojan network communicates via port 53 -- the DNS port.  You can't block it.

curly

I dont think you can override firewalls with using specific ports. Firewalls block communication program by program basis. Using the DNS port has the benefit for making ISP:s unable to block "suspicous" ports. ie. some have blocked port 4661, because its used as default by some p2p programs.

[mold]

Originally posted by AKcurly
1) the infection probably resulted from pulling a webpage and executing valid j/script

True, but this is limited.  You need to go to exactly the wrong webpage for this to work, right?  Or does the torjan find other webservers and insert malicious jscript into the served pages?

Originally posted by AKcurly
2) the trojan network communicates via port 53 -- the DNS port.  You can't block it.

Yeah you can...why does a DNS client need to open port 53?

[Bodhi]

You can close any port.

[AKIron]

Remember code red? I think there are still unpatched servers trying to propogate that crap. I doubt the Internet/Web will ever become invulnerable to those with too much free time and no life.

[AKcurly]

Originally posted by mold
True, but this is limited.  You need to go to exactly the wrong webpage for this to work, right?  Or does the torjan find other webservers and insert malicious jscript into the served pages?

 

Yeah you can...why does a DNS client need to open port 53?

Yah, you're right - was thinking server.  

Whatever mischief they're up to will be extremely difficult to interfer with:  1) sinit is a p2p trojan and 2) message traffic is encrypted.

If thousands of clients are infected, the trojan would be inactivated by a) turning your box off, b) firewall or c) removing the trojan.  

It will be interesting to watch this happen - unpleasant, but interesting.

curly