12/03/2008
update the Skynet DNS server in trouble
The internal DNS server from Skynet (the biggest ISP in Belgium) 195.238.2.22 has its port 53 for DNS open but only for internal clients.
Those internal clients have a certain number of which are infected by a worm that tries to contact several websites to download its malware. For this it uses a DNS server. This DNS server. So the DNS server is being seen as malicious because it has probably a high traffic to those sites that are indicated as being part of a botnet.
You can use the DNS server to block access to those malicious botnet sites and identify which computers try to connect to that server. You could even replace the site by a popup telling the owner of the PC that his PC is infected and that he should contact the helpdesk or download some free stuff to clean it. But as a commenter said that would only be possible with http botnets that are using a browser (pop-up) themselves. But I am sure that Belgacom has other means of contacting its clients that are infected (not by mail except if you like phishing in the future).
just a thought.
11:35 | Permalink | Comments (1) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Comments
uhm, not really while you could block access to known botnet CC's, giving that popup would only be possible if the user knowingly browses to that site with a browser. There's no way you're going to popup anything if the local botnet client is going to use DNS to merely resolve the name.
Posted by: domdingelom | 12/03/2008
Respond to this commentPost a comment