The famous DNS virus!

From: xxxxx Sent: Dienstag, 10. Juni 2003 09:41 To: Richard Priest Cc: noc@xxxx Subject: Re: Possible Virus from your domain. On Mon, 9 Jun 2003, Richard Priest wrote: >> Hello, >> We are an Internet Service Provider in the UK. >> >> I have received a call from one of our customers regarding a program. >> (which we are unable to trace on his machine using various anti-virus >> software and looking through the current tasks running in windows) >> >> The program seems to try and connect to the internet, and sends a data >> packet to the following IP: 192.16.202.11 to port 53. >> >> If you have any knowledge of this program or its creator, please do not >> hesitate to email me back with a resolution. >> >> Thank You >> >> Richard Priest >> >> Technical Support >> Cobweb Solutions Ltd >> Hi Richard, The virus you described is called DNS (Domain Name Service). It was invented by (a bad guy) called Paul Mockapetris in the mid-80's and first time very well described in: http://www.ietf.org/rfc/rfc882.txt and later even standardized: http://www.ietf.org/rfc/rfc1034.txt http://www.ietf.org/rfc/rfc1035.txt Finally, someone made an effort to compile a nice history of it: http://www.ietf.org/rfc/rfc3467.txt It really uses UDP - port 53 (for sending evil NS queries and NS replies) and TCP - port 53 (for zone transfers). The virus itself causes a strange disease, making people to type strange names like "www.microsoft.com", "www.cobweb.co.uk" instead of nice and neat numbered addresses (like 207.46.249.190, 213.166.29.147 and so on). It was partly responsible for the dot.com revolution in the mid-90's, althought its effects on the disaster of the dot.com industry are not very clear. To get familiar with the virus and the disease, I'd recommend you to read the following RFC documents: 1034, 1035, 1537, 2181, 2929, 3090 and 3467, as well as a good book: http://www.amazon.com/exec/obidos/tg/detail/-/0596001584/ Cheers, xxxxx