This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

At a client site with my own laptop capturing, I came across these strange queries. Is this some kind of malware? I checked my laptop at home and these queries do not happen there.

10.10.7.93 10.10.7.231 DNS 53 Standard query A hkdheltpil.dct.local

10.10.7.93 10.10.7.231 DNS 53 Standard query A abpbmpbmbd.dct.local

10.10.7.93 10.10.7.231 DNS 53 Standard query A byxcaaoetj.dct.local

10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A abpbmpbmbd

10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A hkdheltpil

10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A byxcaaoetj

10.10.7.93 10.10.7.255 NBNS 137 Name query NB ABPBMPBMBD<00>

10.10.7.93 10.10.7.255 NBNS 137 Name query NB HKDHELTPIL<00>

10.10.7.93 10.10.7.255 NBNS 137 Name query NB BYXCAAOETJ<00>

asked 22 Apr '11, 12:16

eelarry's gravatar image

eelarry
368912
accept rate: 0%

Same laptop at your customer site shoots out these queries, but not at home? We you using their DHCP service? .local is a peuso TLD that some services use.

(23 Apr '11, 08:26) hansangb

I was using DHCP at the client sites, yes. Not seen elsewhere so far.

(23 Apr '11, 09:20) eelarry

I see something similar:

  2 39.848702   192.168.1.101         192.168.1.255         NBNS     Name query NB HRMZQPSPIJ<00>
  3 39.849226   192.168.1.101         192.168.1.255         NBNS     Name query NB FSYLKLCXXB<00>
  4 39.849231   192.168.1.101         192.168.1.255         NBNS     Name query NB QTLASVNHIF<00>
  5 40.599012   192.168.1.101         192.168.1.255         NBNS     Name query NB HRMZQPSPIJ<00>
  6 40.599024   192.168.1.101         192.168.1.255         NBNS     Name query NB FSYLKLCXXB<00>
  7 40.599087   192.168.1.101         192.168.1.255         NBNS     Name query NB QTLASVNHIF<00>
  8 41.367564   192.168.1.101         192.168.1.255         NBNS     Name query NB HRMZQPSPIJ<00>
  9 41.367710   192.168.1.101         192.168.1.255         NBNS     Name query NB FSYLKLCXXB<00>
 10 41.367713   192.168.1.101         192.168.1.255         NBNS     Name query NB QTLASVNHIF<00>

so does this mean that local machine 101 has a computer virus making it take part in a bot net?

(02 Dec '11, 18:15) Covert Coven

Your system is infected. I reinstalled the OS on the system in this example, and that traffic disappeared. I recommend you do the same.

(03 Dec '11, 10:03) eelarry

I suspect these are kids that I know who created the infection to cheat at online games. Is there any information I can get from the packets ... like an IP address or domain name?

(03 Dec '11, 15:12) Covert Coven

In order to speed up browsing Google Chrome does a lot of DNS requests in advance (DNS prefetching – this can be even turned on and off in Chrome’s options). When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately.

Among those requests Chrome also tries to find out if someone is messing up with the DNS. Therefore Chrome does this by issuing 3 DNS requests to randomly generated domain names, for every DNS extension configured.

source: ISC Diary

permanent link

answered 06 Dec '11, 14:49

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Recent botnets such as Conficker, Kraken and Torpig have brought in vogue a new method for botnet operators to con- trol their bots: DNS “domain fluxing”. In this method, each bot algorithmically generates a large set of domain names and queries each of them until one of them is resolved and then the bot contacts the corresponding IP-address obtained that is typically used to host the command-and-control (C&C) server.

permanent link

answered 25 Apr '11, 10:40

eelarry's gravatar image

eelarry
368912
accept rate: 0%

I scanned my computer with AVG and also with Microsoft security essentials and no malware was identified. Yet this domain fluxing is going on constantly.

It is only happening when I have ()64 bit) Google Chrome active, even if I'm just sitting on a static web page. Neither IE nor Mozilla have this symptom so I reinstalled Chrome but it made no difference. Does it mean the Chrome download site was infected and does anyone else see this?

permanent link

answered 06 Dec '11, 14:33

Covert%20Coven's gravatar image

Covert Coven
1111
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109
×27

question asked: 22 Apr '11, 12:16

question was seen: 17,214 times

last updated: 06 Dec '11, 14:49

p​o​w​e​r​e​d by O​S​Q​A