DNS alert for CryptoLocker?

So I don’t have to reinvent the wheel, does anyone have a script to alert when a bunch of DNS nxdomain response codes are returned? We had a CryptoLocker infected system. Here is a snippet of the DNS queries it was performing. I assume the script will be fairly trivial to write with the new metrics framework.

1382548938.833528 GMCxsRbK0Ai 128.x.y.z 58872 128.a.b.c 53 udp 11849 ndqycnknvoouv.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548944.705308 gNc8acns5pe 128.x.y.z 57136 128.a.b.c 53 udp 29248 hcanlyoattqnk.info 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548947.922531 2wQ3L1SjO2i 128.x.y.z 55438 128.a.b.c 53 udp 37701 pggqvjlpjuvfj.biz 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548950.164884 K6SBCLsCeHd 128.x.y.z 62257 128.a.b.c 53 udp 27109 rkvrpstomducl.org 1 C_INTERNET 1 A - - F F T F 0 - - F

1382548952.804004 A3cpzxeprDd 128.x.y.z 62188 128.a.b.c 53 udp 19436 xdlmipcfinsnx.info 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548953.848624 oFpUoyQaeT6 128.x.y.z 58160 128.a.b.c 53 udp 64315 yskkfkmsvjyjh.com 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548956.153981 42MqOejLeC7 128.x.y.z 61254 128.a.b.c 53 udp 25859 bwalyturyrxgh.biz 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548960.964978 iwlngihsWR2 128.x.y.z 59060 128.a.b.c 53 udp 49446 wfffkyemceall.info 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548965.228544 BSHfNWkQmN2 128.x.y.z 50542 128.a.b.c 53 udp 64599 gxfbvapxgjhhwir.ru 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382548966.392850 AL4jDt0K4Bl 128.x.y.z 65068 128.a.b.c 53 udp 60778 pbxksllrmivxhjc.org 1 C_INTERNET 1 A - - F F T F 0 - - F

1382548998.923970 hvrkgMU1nj9 128.x.y.z 64366 128.a.b.c 53 udp 58017 - - - - - 0 NOERROR F F F T 0 212.71.250.4,212.71.250.4 0.000000,0.000000 F

1382549001.210921 F0wHtNhVKQj 128.x.y.z 53692 128.a.b.c 53 udp 18268 eijwmsocubkbifr.com 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549004.587866 dupMP8ecnh9 128.x.y.z 65102 128.a.b.c 53 udp 55272 - - - - - 3 NXDOMAIN F F F F 0 - - F

1382549005.590564 8hHrrWK3ySg 128.x.y.z 53233 128.a.b.c 53 udp 49644 csnrwkgpneybfdw.org 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549008.355729 2zHHnrpDv94 128.x.y.z 49268 128.a.b.c 53 udp 48578 yxhlnnrvnxwhvjb.info 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549009.401946 XGYKkM7TJHb 128.x.y.z 58084 128.a.b.c 53 udp 21374 ypqijlryiuibvra.com 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549011.483780 jPbHypWQKyh 128.x.y.z 56556 128.a.b.c 53 udp 38615 gfidmpcvtbjipor.biz 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549014.515443 ndy7OcvfED 128.x.y.z 49785 128.a.b.c 53 udp 11355 - - - - - 3 NXDOMAIN F F F F 0 - - F

1382549015.564495 qkrQfYjmd8g 128.x.y.z 64433 128.a.b.c 53 udp 45 - - - - - 0 NOERROR F F F T 0 212.71.250.4,212.71.250.4 0.000000,0.000000 F

1382549017.104583 bQbmeVq6PSl 128.x.y.z 60956 128.a.b.c 53 udp 21595 epmydibaismctwn.info 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549020.276359 ZyCXQrFDUie 128.x.y.z 58936 128.a.b.c 53 udp 45237 taxkcsutphxwues.biz 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549021.295831 DDxa09moudg 128.x.y.z 51396 128.a.b.c 53 udp 14981 ooqydautbpucsxk.ru 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549024.077917 utOUlYH43La 128.x.y.z 61588 128.a.b.c 53 udp 33615 - - - - - 0 NOERROR F F F T 0 212.71.250.4 0.000000 F

1382549026.376626 7NYXLG3zOJ4 128.x.y.z 52200 128.a.b.c 53 udp 30833 myuutstxphxvlmn.com 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549028.599961 MBxVPKOcOl3 128.x.y.z 58592 128.a.b.c 53 udp 49290 ohfvyihiguvwuxp.biz 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549031.847178 vD02D08eII4 128.x.y.z 61924 128.a.b.c 53 udp 23377 shocdnhyfmdfsoj.co.uk 1 C_INTERNET 1 A - - F F T F 0 - - F

1382549034.478314 n3WCj7AlLU2 128.x.y.z 60108 128.a.b.c 53 udp 33753 tmyedwcqvvykcjj.com 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549036.575201 caR4StggyDa 128.x.y.z 52132 128.a.b.c 53 udp 4039 oxsaegepxdvieuh.biz 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549037.595521 OgiZzasfva3 128.x.y.z 52622 128.a.b.c 53 udp 49144 cbcrkxjuurixfpe.ru 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549038.784184 fbHvNBwyQr6 128.x.y.z 65484 128.a.b.c 53 udp 51376 pddcepyhomrngqq.org 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 0 - - F

1382549039.995781 MdZxaa06IYh 128.x.y.z 56073 128.a.b.c 53 udp 1505 novnagkvsgbfbvv.co.uk 1 C_INTERNET 1 A 0 NOERROR F F T T 0 212.71.250.4,212.71.250.4 0.000000,0.00000

Thanks,

Tyler

I wrote this: https://github.com/anthonykasza/nxes

It’s not exactly what you’re looking to do, as it doesn’t make use of the SumStats framework. Hopefully you still find it helpful.

-AK

I have a whole crap load of DNS & Recon scripts I did for bsides DC I just haven’t had time to post yet.

Too many NXDomains:

https://gist.github.com/LiamRandall/7339749

Tune as you see fit. Important note- if you are only instrumented at the ingress/egress point you will most likely only be seeing your recursive resolver.

Liam