Malware DNS Scaper

If you just want to get cracking and download the DNS Scraper you can just download it here. Documentation is for wussies!

This project was started by Ben as a simple way to check to see if computers on his network were trying to check into known Botnet command and control servers. Ben initially had the idea while while staring at the ZeuS Tracker Domain Block list and trying his usual method of manually entering domains to query the firewalls. Then, a moment of inspiration hit: He didn’t care about all the domains, just the domains that people visit. Who knows what domains people visit? The DNS servers! Now it was just a question of trying to coax the information out of the DNS servers.

Thankfully, an excellent podcast, PaulDotCom Security Weekly had been talking about getting information out of DNS servers during penetration tests. A simple non-recursive DNS lookup on the local DNS server can tell you if someone queried for the host recently. This was handy in a penetration test to tell what sites users were visiting nad if they had content filtering enabled on their network. Ben used this to find out different information: If the DNS servers had cached entries of "known bad" domains, that means someone on his network was querying for them indicating an infection.

The first version of the script used the abuse.ch ZeuSTracker domain block list as it's list of "bad domains" and it worked rather well. Ben quickly realized that this could be expanded beyond a single list and could use multiple data sources to have more information to query. Ben started combining multiple sources and created the Mayhemic Labs Malicious Hosts list which it what the malware DNS scraper defaults to.

Running the Script

Running the tool is fairly simple, there are only a handful of options: –-server, specifying which server(s) to query, –-file, specifying where to put the downloaded list (defaulting to /tmp/malhosts.txt) , -–download/-–nodownload which specifies whether or not the script should attempt to download the block list, --rate which limits the number of queries per second, and –debug, which specifies the verbosity of the script.

A typical command line would be:
perl malwarednsscraper.pl --server 192.168.1.2 --server 192.168.1.3

Which would download the block list, and then proceed to query 192.168.1.2 and 192.168.1.3 for each entry in the list. You can specify as many as many servers as you like, however, the block list often is over a thousand entries, so each additional server adds another thousand or so queries.

Alternatively, once the list is downloaded, the script will download the block list only if the local copy is older then 60 minutes, (don’t worry it doesn’t update that frequently). You can also specify that the script doesn’t download the list again with the -–nodownload option:

perl malwarednsscraper.pl --server 192.168.1.2 --server 192.168.1.3 --nodownload

If you are overloading one or more of the DNS servers, or if you know your DNS servers can handle a faster rate then the default of 25 per second you can specify a different rate with the --rate option:

perl malwarednsscraper.pl --server 192.168.1.2 --server 192.168.1.3 --rate 10

Which will send queries at a rate of 10 per second. Put on a pot of coffee if you set it real low, you'll be there for a while.

As of version 0.3.1, the script will ignore hosts flagged as "false positives" by the malicious host lists. If you want to query for these anway, run the script with --falsepositives option:

perl malwarednsscraper.pl --server 192.168.1.2 --server 192.168.1.3 --falsepositives

You can also turn on debugging with the debug option, which will display every step in the process:

perl malwarednsscraper.pl --server 192.168.1.2 --server 192.168.1.3 --debug

Needless to say, this does generate a fair bit out output, and you may miss when it finds a cached entry, so be careful with this.

Interpreting Results

When the script is run in a non-debug mode, a ‘.’ will appear after each query, while in debug mode it will display the result of the query and whether or not it found an entry.

What You Want To See

If the script finds no cached entries, you will see:

Completed!

NNNN queries made, 0 entries found! Hooray!

In this example, NNNN would be the number of queries sent, remember this is (number of entries on the list) * (numbers of servers qeueries)increases which each additional server you need to query, and it has found 0 entries, indicating that the DNS servers queried have no cached entries for any of the domains. Congratulations, pat yourself on the back and grab yourself a nice frosty beverage from the refrigerator.

What You Do Not Want To See

If the script finds one or more cached entries you will see:

NNNN queries made, 4 entries found. Uh Oh.

W.X.Y.Z has an entry in it's cache for www.example.net: 10.1.2.3 TTL: 34 (Malware: Unknown Malware, Source: MDL)
W.X.Y.Z has an entry in it's cache for www.example.net: 10.1.2.4 TTL: 34 (Malware: Unknown Malware, Source: MDL)
W.X.Y.Z has an entry in it's cache for www.example.com: 10.4.5.6 TTL: 44 (Malware: Trojan-Downloader.Win32.Agent.agld, Source: MP)
W.X.Y.Z has an entry in it's cache for www.example.org: 10.7.8.9 TTL: 3468 (Malware: Multiple Entries, Source: MP/ZT)

Well, crap. This time the beverage you need is probably kept in your attrition.org flask. Same as above, "NNNN" is the number of queries the script made and the “4″ in this example is number of results found. In this example, “www.example.net” was cached with two separate addresses, while “www.example.com” and “www.example.org” both have one apiece. "www.example.net" was found via tha Malware Domain List (MDL) and "www.example.com" was found via the MalwarePatrol list. Now, "www.example.org" was found on both the MalwarePatrol and ZeusTracker (ZT) list and was listed with multiple forms of malware. The "TTL" on each line shows the remaining time to live of the cached entry in seconds. Finally, the W.X.Y.Z in the above example is the DNS server that responded, and the 10.X.X.X addresses are the IP addresses that the DNS server responded with. These IP addresses are what you are interested in.

My DNS Servers Have Cached Entries! Now What?

This is where some good old detective work comes in. The presence of the cached entries on your DNS server only means that one of the clients on your network asked for the entry in question. Normally, it’s time to start plugging IP addresses in your firewall logs to see who’s been visiting them. Then it’s time to start cleaning.

Caveats

Now, obviously, this sends a boat load of queries in a very rapid fashion to DNS servers. Make sure that your DNS server and your connection can handle the load and don’t run it against DNS servers that you do not have permission to do so. Also, some of the DNS entries have small enough TTLs that they may expire quickly, meaning that even if the script comes back clean, there could still be infected hosts.

Download the Malware DNS Scraper