[RPZ] Trojan.Spachanel - Using SPF records for malware signaling (problem for RPZ sinkholing?)

Alan Doherty dnsrpz at alandoherty.net
Wed Jan 30 00:01:56 UTC 2013

At 23:17 29/01/2013  Tuesday, Paul Ferguson wrote:
>> i think it won't matter as according to the below article it will only query 0-few day old domains thus none are likely to be RPZ listed
>Actually, it has been a long-standing practice to extract the DGA from
>the malware, recompile the generation code, and pre-generate the
>domains so that they can blocked (or mitigated) on the date they will
>be used.
>This has been done with other malware which uses a DGA to generate
>their C&C domains (e.g. Conficker, Mebroot/Torpig, et al.).
>- ferg

I know this is possible, but do any of the RPZ zones in use/available 
list these unregistered-as-yet domains at the moment?

If so It might be an idea to start, I suspect the researchers might not publish, as in doing it they reveal the key is cracked and just cause an arms race in re-key stratagies.

why I think go after the registrar/dns-servers serving these bulk malicious registrations and cut out the middle man.

but thats not to say these pre determinable future-domains shouldn't be RPZ'd too (and timely removed afterward)

More information about the DNSfirewalls mailing list