ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.

A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.

The first step is to add a configuration file to the /etc/named.conf. For example, add:

include "/var/named/sink_local.conf";

Run the command "named-checkconf" to make sure you have no errors in your named.conf file.

The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918 our.org.molendf.co.kr. Add in sink_local.conf the following line:

zone "our.org.molendf.co.kr" IN { type master; file "/var/named/sinkhole/redirect.nowhere"; };

Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:

$TTL    600
@                       1D IN SOA       localhost root (
                                        42              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        5 IN A          192.168.25.5

The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add  this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.

Last, reload your zone for your new list to take effect by executing "rndc reconfig"

Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:

C:Users:guy>nslookup our.org.molendf.co.kr
Server: somename.sinkhole.com
Address: 192.168.25.25

Name: our.org.molendf.co.kr
Address: 192.168.25.5

This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.

If you know of other lists that could populate a sinkhole, I will add them later to this diary.

Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org