Recent spike in port 53 activity

Published: 2003-12-16
Last Updated: 2003-12-16 21:26:46 UTC
by Tom Liston (Version: 1)
0 comment(s)
Although there has been a steady increase in activity on port 53 activity over the past several months, the ISC monitored an enormous spike in activity on 12/15/2003.

See:

http://isc.sans.org/port_details.html?port=53

Earlier investigations into the source of strange port 53 traffic lead to a trojan known as W32/Calypso (AKA: BackDoor-BAM, BackDoor.Calypso, Backdoor.Sinit, Bck/Initsvc.B, BKDR_CALYPS.A, Trojan.Apolyps, Trojan.FakeSvc.A, Win-Trojan/Calypso.58880).

In controlled infections, the Calypso trojan has been seen to connect to seemingly random IP addresses using a UDP datagram sent to port 53. This activity is believed to be an attempt to connect in a peer-to-peer fashion with other Calypso trojans. The packet itself simply appears to contain a malformed DNS query. When the trojan randomly hits a real DNS server, the server may reply with an error message. When it contacts another infected host, however, an information exchange takes place, including a sharing of IP addresses of other infected hosts. This appears to be a network map synchronization to maintain complete awareness of the network amongst all hosts.

While the ISC data indicates a large spike in records submitted to DShield, there is not an equally large spike in sources or targets, indicating that the malware responsible for this scanning may have changed tactics. One possible explanation is that the p2p component of the Calypso trojan may be seeing increased usage.

See http://www.lurhq.com/sinit.html for an excellent analysis of the Calypso
trojan and p2p network.

Please monitor your networks for any outgoing port 53 packets that match the following BPF:

dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000 or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))

and report any traffic that matches to the ISC Handlers immediately
( http://isc.sans.org/contact.html ). Also, be aware that if you find a compromised host on your network, the ISC recommends a complete "bare metal" re-install due to the fact that the trojan has a back-door component.

George Bakos of Dartmouth?s Institute for Security Technology Studies contributed a great deal of information to this diary. George has a page that details the study of Calypso traffic during the month of October:

http://people.ists.dartmouth.edu/~gbakos/bindsweep/

----------------

Handler on Duty: Tom Liston LaBrea Technologies ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)

Comments


Diary Archives