This explains why the alerts were only coming up as DNS and not capturing any traffic to the domain. The question now is: who owns it?
So the domain doesn’t exist any longer. This became even more unusual because why would malware be connecting to a non-existent domain? Did the domain become lapsed? Did the botnet get shutdown? Well, it did as it turns out that the specific malware using the domain also used other domains and were shut down.
I then compiled a simple IRCd and then watched as they all connected.
Immediately I had hundreds of machines ready to do my bidding if I so chose. I let it sit for a bit and at its peak, I had about 325 machines. All of them were identified with their OS, country, and then a random code. Here are some statistics on where the machines were located:
- Argentina, 5.00%
- Brazil, 0.45%
- Chile, 5.91%
- Colombia, 1.36%
- Malta, 0.45%
- Mexico, 73.18%
- Peru, 2.73%
- Spain, 14.55%
- Venezuela, 1.36%
Once satisfied with the reconnaissance, I went and pointed the domain at an internal server and discovered the location of the machine and had it remediated as usual.
An abuse complaint did however come in during the time I was investigating the issue so while the domain had since fallen out of use, someone was still monitoring it. The domain has since been pointed to the ShadowServer guys for them to remediate any machines that are still remaining.