Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/vsploit/malware/dns/dns_mariposa.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  def initialize

9
    super(

10
      'Name' => 'VSploit Mariposa DNS Query Module',

11
      'Description' => 'This module queries known Mariposa Botnet DNS records.',

12
      'Author' => 'MJC',

13
      'License' => MSF_LICENSE,

14
      'References' => [

15
        [ 'URL', 'http://www.defintel.com/docs/Mariposa_Analysis.pdf']

16
      ],

17
      'Notes' => {

18
        'Stability' => [CRASH_SAFE],

19
        'SideEffects' => [IOC_IN_LOGS],

20
        'Reliability' => []

21
      }

22
    )

23
    register_options(

24
      [

25
        OptString.new('DNS_SERVER', [false, 'Specifies a DNS server']),

26
        OptInt.new('COUNT', [false, 'Number of intervals to loop', 1]),

27
        OptInt.new('DELAY', [false, 'Delay in seconds between intervals', 3])

28
      ]

29
    )

30
  end

31


32
  def run

33
    @res = Net::DNS::Resolver.new

34


35
    domain = [

36
      'lalundelau.sinip.es', 'bf2back.sinip.es', 'thejacksonfive.mobi',

37
      'thejacksonfive.us', 'thejacksonfive.biz', 'butterfly.BigMoney.biz',

38
      'bfisback.sinip.es', 'bfisback.no-ip.org', 'qwertasdfg.sinip.es',

39
      'shv4b.getmyip.com', 'shv4.no-ip.biz', 'butterfly.sinip.es',

40
      'defintelsucks.sinip.es', 'defintelsucks.net', 'defintelsucks.com',

41
      'gusanodeseda.sinip.es', 'gusanodeseda.net', 'legion.sinip.es',

42
      'booster.estr.es', 'sexme.in', 'extraperlo.biz',

43
      'legionarios.servecounterstrike.com', 'thesexydude.com',

44
      'yougotissuez.com', 'gusanodeseda.mobi', 'tamiflux.org',

45
      'tamiflux.net', 'binaryfeed.in', 'youare.sexidude.com',

46
      'mierda.notengodominio.com',

47
    ]

48


49
    if datastore['DNS_SERVER']

50
      @res.nameservers = datastore['DNS_SERVER']

51
    end

52


53
    count = 0

54


55
    while count < datastore['COUNT']

56


57
      domain.each do |name|

58
        query = @res.query(name, 'A')

59
        time = Time.new

60
        time = time.strftime('%Y-%m-%d %H:%M:%S')

61
        print_status("#{time} - DNS Query sent for => #{name}")

62
        if query.answer.empty?

63
          print_error("#{time} - #{name} => No Record Found")

64
        else

65
          a = query.answer[0].to_s.split(/[\s,]+/)

66
          print_good("#{time} - #{name} => #{a[-1]}")

67
        end

68
      end

69
      unless count == (datastore['COUNT'] - 1)

70
        time = Time.new

71
        time = time.strftime('%Y-%m-%d %H:%M:%S')

72
        print_status("#{time} - Waiting #{datastore['DELAY']} seconds to query")

73
        select(nil, nil, nil, datastore['DELAY'])

74
      end

75
      count += 1

76
    end

77
  end

78
end

79


80