[RPZ] Trojan.Spachanel - Using SPF records for malware signaling (problem for RPZ sinkholing?)
dnsrpz at alandoherty.net
Wed Jan 30 00:01:56 UTC 2013
At 23:17 29/01/2013 Tuesday, Paul Ferguson wrote:
>> i think it won't matter as according to the below article it will only query 0-few day old domains thus none are likely to be RPZ listed
>Actually, it has been a long-standing practice to extract the DGA from
>the malware, recompile the generation code, and pre-generate the
>domains so that they can blocked (or mitigated) on the date they will
>This has been done with other malware which uses a DGA to generate
>their C&C domains (e.g. Conficker, Mebroot/Torpig, et al.).
I know this is possible, but do any of the RPZ zones in use/available
list these unregistered-as-yet domains at the moment?
If so It might be an idea to start, I suspect the researchers might not publish, as in doing it they reveal the key is cracked and just cause an arms race in re-key stratagies.
why I think go after the registrar/dns-servers serving these bulk malicious registrations and cut out the middle man.
but thats not to say these pre determinable future-domains shouldn't be RPZ'd too (and timely removed afterward)
More information about the DNSfirewalls