DNS Log Analysis

DNS Logs
08-May-2006 13:48:07.957 client @0x8b69800: udprecv
08-May-2006 13:48:07.958 client 66.66.0.63#62048: UDP request
08-May-2006 13:48:07.958 client 66.66.0.63#62048: using view '_default'
08-May-2006 13:48:07.958 client 66.66.0.63#62048: request is not signed
08-May-2006 13:48:07.958 client 66.66.0.63#62048: recursion available
08-May-2006 13:48:07.958 client 66.66.0.63#62048: query
08-May-2006 13:48:07.961 client 66.66.0.63#62048: query '70.0.130.66.in-addr.arpa/PTR/IN' approved
08-May-2006 13:48:07.961 client 66.66.0.63#62048: send
08-May-2006 13:48:07.961 client 66.66.0.63#62048: sendto
08-May-2006 13:48:07.961 client 66.66.0.63#62048: senddone
08-May-2006 13:48:07.962 client 66.66.0.63#62048: next
08-May-2006 13:48:07.962 client 66.66.0.63#62048: endrequest
08-May-2006 13:48:07.962 client @0x8b69800: udprecv
08-May-2006 13:48:07.748 client 66.66.24.169#1025: query (cache) 'instructions.hacker.net/A/IN' approved
08-May-2006 13:48:07.748 createfetch: instructions.hacker.net A
08-May-2006 13:48:07.748 fctx 0x8251c00(instructions.hacker.net/A'): create
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): join
08-May-2006 13:48:07.749 fetch 0x81ef040 (fctx 0x8251c00(instructions.hacker.net/A)): created
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): start
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): try
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): cancelqueries
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): getaddresses
08-May-2006 13:48:07.749 fctx 0x8251c00(instructions.hacker.net/A'): query

08-May-2006 13:48:07.748 client 66.66.24.169#1025: query (cache) 'instructions.hacker.net/A/IN' approved
*************************************
What does this tell you?
How can this be helpful to an investigation?

Example #1 – Malware
The “Fuzzy Widget” company states that they have been compromised by a network Worm.  This worm was custom written by a disgruntled employee.  Since this worm is not a world wide distribution, there are no Anti-Virus Products that can detect this program.  They think that the worm is capturing keystrokes and sending them off-site.

  • How would you be able to determine the extent of their infection?
  • How would you be able to determine which machines had been compromised?
DNS Logs (Malware)

08-May-2006 14:59:43.936 client 66.11.51.102#51563: query (cache) 'mail.hackedbox.com/A/IN' approved
08-May-2006 15:00:28.014 client 66.30.0.70#18380: query (cache) 'ns4.hackedbox.com/AAAA/IN' approved
08-May-2006 15:00:28.016 client 66.30.0.70#18380: query (cache) 'ns3.hackedbox.com/AAAA/IN' approved
08-May-2006 15:00:28.019 client 66.30.0.70#18380: query (cache) 'ns2.hackedbox.com/AAAA/IN' approved
08-May-2006 15:01:18.113 client 66.19.187.65#1607: query (cache) 'toolbarqueries.hackedbox.com/A/IN' approved
08-May-2006 15:01:38.227 client 66.13.24.169#1025: query (cache) 'www.hackedbox.com/A/IN' approved
08-May-2006 15:01:43.953 client 66.11.51.102#51572: query (cache) 'mail.hackedbox.com/A/IN' approved
08-May-2006 15:02:05.022 client 66.30.0.70#18380: query (cache) 'ns4.hackedbox.com/AAAA/IN' approved
08-May-2006 15:02:05.025 client 66.30.0.70#18380: query (cache) 'ns2.hackedbox.com/AAAA/IN' approved
08-May-2006 15:02:05.921 client 66.12.9.100#1026: query (cache) 'toolbarqueries.hackedbox.com/A/IN' approved
08-May-2006 15:03:43.942 client 66.11.51.102#51575: query (cache) 'mail.hackedbox.com/A/IN' approved
08-May-2006 15:03:55.610 client 66.12.9.100#1026: query (cache) 'toolbarqueries.hackedbox.com/A/IN' approved
08-May-2006 15:04:05.962 client 66.17.6.115#1604: query (cache) 'toolbarqueries.hackedbox.com/A/IN' approved
08-May-2006 15:05:43.946 client 66.11.51.102#51576: query (cache) 'mail.hackedbox.com/A/IN' approved

08-May-2006 15:07:03.262 client 66.13.123.203#3893: query 'hackedbox.mycompany.com/A/IN' approved