Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dns queries to ztomy repeatedly.


  • This topic is locked This topic is locked
4 replies to this topic

#1 johncgilliland

johncgilliland

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indianapolis, IN
  • Local time:08:48 AM

Posted 23 August 2016 - 01:19 PM

I have recieved reports from IT department that OpenDNS reports requests from my machine to suspect dns server (nsXXX.ztomy.com) and that I am not allowed to connect to our network until i resolve issue.

 

I have run numerous tools to attempt to mitigate issue.  Initially I found a couple of infected files (including a trojan) that were removed and cleaned.  However despite subsequent clean reports the dns activity has continued and I have been unable to identify the source.  I have run MBAM, BitDefender (our company AV), HitmanPro, RogueKiller, ComboFix, MBAM Breach Remediation, MBAM Anti-rootkit beta, TDSKiller, Gmer, ESET, and now FRST for this post.

 

My most recent run of ESET included an external drive inside of which it found (TrojanDropper.Agent.BQ) and cleaned.  I am hoping this was the issue but would still like assistance as this has become quite crucial.  I also need the experience as I am going to attempt the training program.

 

Thanks so much for your time.  I have attached the FRST logs per the prep document instructions. also Firewall is enabled, etc.

 

I am running Windows7x64

 

 

John

Attached Files


Edited by johncgilliland, 23 August 2016 - 01:24 PM.


BC AdBot (Login to Remove)

 


#2 johncgilliland

johncgilliland
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indianapolis, IN
  • Local time:08:48 AM

Posted 25 August 2016 - 02:28 PM

I have been working on this issue non-stop for the last two days.  I have used dns query sniffer in combination with process monitor and used timestamps to the 3rd millisecond digit to match up PIDs and then used PID to pull info from Process Explorer but only to find that it led to Bonjour Service, or wmiprvse.exe (a windows wmi process).  However I am still in a bad spot because OpenDNS reports these 2 nameservers as malicious and therefore because my machine still sends DNS requests to this server then I am banned from the vpn.

UGH.

 

I am definitely going to apply to the training program.  I want to know as much as I can about how to investigate these issues.  I have read some whitepaper synopses about using DNS activity to detect botnets but no details.  No specifics I can use to track down the virus/bot/etc and rid my machine of it.

 

So hopefully when my turn comes up I will get some more info from one of the responders here!  Looking forward to some guidance for sure.

 

Oh, I have also been trying to research the IP addresses returned by this name server to teh requests.  There are only about a half dozen that are returned.  regardless of which machine (there are multiple machines on our network hitting these servers) makes the dns request.  All of the ip addresses seem to go nowhere.  they do not respond to curl or ping or nslookup, etc.

 

okay, just posting more info and doing a bit of venting  :bounce:



#3 johncgilliland

johncgilliland
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indianapolis, IN
  • Local time:08:48 AM

Posted 26 August 2016 - 09:08 AM

FIXED!!

 

So ultimately myself and the other developer/IT persons at work have figured out the issue.  It all goes back to the Network Solutions breach in 2013 (i think that is when it was).  Out on NetSols configuration of one of our domains the catch all was pointing to a nefarious IP address (208.91.197.27).  This led to people, when connecting outside of our network, having requests for internal resources that would normally be resolved by our internal dns being routed to the catch all and consequently to the bad address.

 

the bad address was returning NS type dns responses pointing to the ns1327.ztomy.com and ns2327.ztomy.com name servers that OpenDNS has blacklisted as malware servers.  I was also able to complete the circle by finding A type dns requests being returned from the ztomy name servers that pointed back to the 208.91.197.27 address.  Thus completing the forensic circle per say.

 

So if anyone else runs into this that is what is happening.  There weren't any viruses on individual machines.  Crazy investigation but fortunately we have it fixed and have also blocked the catchall at our firewall so in a day or two all of the ztomy requests should disappear.

 

john



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 26 August 2016 - 02:30 PM

Thank you for letting us know. Sorry about the delay.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 26 August 2016 - 02:30 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users