At a client site with my own laptop capturing, I came across these strange queries. Is this some kind of malware? I checked my laptop at home and these queries do not happen there. 10.10.7.93 10.10.7.231 DNS 53 Standard query A hkdheltpil.dct.local 10.10.7.93 10.10.7.231 DNS 53 Standard query A abpbmpbmbd.dct.local 10.10.7.93 10.10.7.231 DNS 53 Standard query A byxcaaoetj.dct.local 10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A abpbmpbmbd 10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A hkdheltpil 10.10.7.93 224.0.0.252 LLMNR 5355 Standard query A byxcaaoetj 10.10.7.93 10.10.7.255 NBNS 137 Name query NB ABPBMPBMBD<00> 10.10.7.93 10.10.7.255 NBNS 137 Name query NB HKDHELTPIL<00> 10.10.7.93 10.10.7.255 NBNS 137 Name query NB BYXCAAOETJ<00> asked 22 Apr '11, 12:16  eelarry |
3 Answers:
In order to speed up browsing Google Chrome does a lot of DNS requests in advance (DNS prefetching – this can be even turned on and off in Chrome’s options). When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately. Among those requests Chrome also tries to find out if someone is messing up with the DNS. Therefore Chrome does this by issuing 3 DNS requests to randomly generated domain names, for every DNS extension configured. source: ISC Diary answered 06 Dec '11, 14:49  Landi |
Recent botnets such as Conficker, Kraken and Torpig have brought in vogue a new method for botnet operators to con- trol their bots: DNS “domain fluxing”. In this method, each bot algorithmically generates a large set of domain names and queries each of them until one of them is resolved and then the bot contacts the corresponding IP-address obtained that is typically used to host the command-and-control (C&C) server. answered 25 Apr '11, 10:40 eelarry |
I scanned my computer with AVG and also with Microsoft security essentials and no malware was identified. Yet this domain fluxing is going on constantly. It is only happening when I have ()64 bit) Google Chrome active, even if I'm just sitting on a static web page. Neither IE nor Mozilla have this symptom so I reinstalled Chrome but it made no difference. Does it mean the Chrome download site was infected and does anyone else see this? answered 06 Dec '11, 14:33  Covert Coven |
Same laptop at your customer site shoots out these queries, but not at home? We you using their DHCP service? .local is a peuso TLD that some services use.
I was using DHCP at the client sites, yes. Not seen elsewhere so far.
I see something similar:
so does this mean that local machine 101 has a computer virus making it take part in a bot net?
Your system is infected. I reinstalled the OS on the system in this example, and that traffic disappeared. I recommend you do the same.
I suspect these are kids that I know who created the infection to cheat at online games. Is there any information I can get from the packets ... like an IP address or domain name?