They are, and dropping them just as fast. It seems like the last a day or two, and then move on to another domain name. They are similar enough that the bots probably work off a formula to determine valid requests. It may be a coincidence, if you believe in those, but this type of C&C traffic started ramping up wildly about a month after the ZeroAccess servers got blocked... Davis Beeman | Network Security Engineer | 360.816.3052 Integra -----Original Message----- From: Joe Maimon [mailto:jmaimon@ttec.com] Sent: Wednesday, February 19, 2014 08:59 To: Beeman, Davis; North American Networking and Offtopic Gripes List Subject: Re: random dns queries with random sources Beeman, Davis wrote:
rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet.
Davis Beeman Network Security Engineer
Somebody must be registering these domain names. And I should be able to compile a list of the auth servers in question. Joe