dsredirection.com = malware ?

  • 1 Replies
  • 5369 Views
*

Offline ObiWan

  • Microsoft® MVP
  • Bronze Member
  • 26
dsredirection.com = malware ?
« on: September 02, 2008, 07:51:11 AM »

Last day I was at a customer site looking at various stuff; when I opened the DNS console I expanded the "cache" branch of the MMC and found some "strange" stuff; sitting inside the cache there were a lot of entries related to pseudo-random host names like e.g.

bbetfgbs.com
cckhgtik.com
dbsxvibw.com
hfjigfcv.com


and much more; all those hosts had as authoritative DNS "ns1.dsredirection.com" and "ns2.dsredirection.com" and all those hosts resolved to 208.73.210.32

Some bell started ringin' in my head so I decided to start taking some countermeasures, but being a curious folk, and since the network was rather big, I decided to take a "step by step approach", so I started by blocking 208.73.210.32 and then setting up a "DNS filter" for the "dsredirection.com" zone so that any query toward it would result in a "0.0.0.0" answer :)

Now... here's the reason for this post; before I'll go on, is there anyone on this board which already saw similar things ? And in such a case, what (which "critter") are they related to ?

TIA

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3119
Re: dsredirection.com = malware ?
« Reply #1 on: September 02, 2008, 08:08:39 AM »
I have not seen them in the location you indicated. But they are related to a new strain of Vundo. You may also find files with those types of names in System32 if the infection has spread

2008-2010
Rights cannot exist without morals