[Emerging-Sigs] RBN-Blackhole evasion tactic

Jack Pepper pepperjack at afferentsecurity.com
Thu Feb 14 11:28:18 EST 2008 

Quoting Jim McQuaid <jim.mcquaid at gmail.com>:

> Last weekend I found several new RBN domains and IP ranges.  They have
> adopted a new tactic, which is to use an "*" as the subdomain's name.
> When one tries to use an asterisk as a subdomain in Smoothwall's
> Blackhole, an error is produced.  In addition to the RBN, typosquatter


> on an inline drop rule.  I expect RBN will go to something like:
> *.beardedladies.trustedprotection.com and eventually
> *.heavily.bearded.ladies.trustedprotection.com ad infinitum...
>
> Can anyone help out on this?

These work, but I don't think it's realistic to enumerate every possible TLD.

alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .com"; content:"|01|*"; distance: 2; within: 255; content:  
"|03|com"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000042; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .org"; content:"|01|*"; distance: 2; within: 255; content:  
"|03|org"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000043; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .edu"; content:"|01|*"; distance: 2; within: 255; content:  
"|03|edu"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000044; rev:1;)

alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .biz"; content:"|01|*"; distance: 2; within: 255; content:  
"|03|biz"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000045; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .net"; content:"|01|*"; distance: 2; within: 255; content:  
"|03|net"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000046; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS  
lookup .museum"; content:"|01|*"; distance: 2; within: 255; content:  
"|07|musueum"; nocase; classtype:trojan-activity;  
reference:url,ref.ref.com; sid:1000047; rev:1;)

Any creative suggestions from the list?

tc

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

More information about the Emerging-sigs mailing list