https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2463#M1840 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/u1/19490">hshah</A> -- </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">BrightCloud's categorization is likely incorrect. We've observed the crazytall domains being used to serve ads, which is perfectly legitimate. However, we've also observed malware connecting out to these domains. Thus, we do not categorize the domains as malicious, because they aren't; but we do categorize them as suspicious, because, as <A href="https://live.paloaltonetworks.com/u1/17985">Steven Puluka</A> indicated, accessing them may indicate malware on the endpoint.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">That said, per Steven's submission to Test A Site, "Computer and Internet Info" probably isn't the best categorization. It's worth requesting a review of that, even if the optimal bucket isn't "Malware."<BR /></SPAN></P></BODY></HTML> Wed, 16 Jul 2014 23:22:12 GMT cblackmore 2014-07-16T23:22:12Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2458#M1835 <HTML><HEAD></HEAD><BODY><P>Does anyone have a link to more information regarding this threat ID ?</P><P></P><P>I have searched PA's support site and the internet, and have had no luck.</P><P></P><P>Thanks!!</P></BODY></HTML> Wed, 16 Jul 2014 21:46:38 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2458#M1835 craigmueller 2014-07-16T21:46:38Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2459#M1836 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P></P><P>Blonde.crazytall.com is a malware site, when a user/spyware tried to do DNS lookup firewall just blocked DNS. Which in turn subsequent conversation. Let me know if this helps.</P><P><IMG __jive_id="14486" alt="Capture.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14486_Capture.PNG" style="height: 186px; width: 620px;" /></P><P></P><P>Please refer following document for more detail on log.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6443">How to Create a Custom Report for Suspicious DNS Queries</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 16 Jul 2014 21:54:17 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2459#M1836 hshah 2014-07-16T21:54:17Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2460#M1837 <HTML><HEAD></HEAD><BODY><P>Thank you for the quick response.</P><P></P><P>Unfortunately, I do not fully understand your explanation.</P></BODY></HTML> Wed, 16 Jul 2014 22:00:43 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2460#M1837 craigmueller 2014-07-16T22:00:43Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2461#M1838 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/19490">hshah</A></P><P>Looks like there is an issue with the Test A Site database.&nbsp; I just ran this on the PA research center and it shows clean as computer category.</P><P></P><P><IMG alt="blondecrazytall.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14487_blondecrazytall.png" style="height: auto;" /></P><P></P><P><A href="https://live.paloaltonetworks.com/u1/28351">craigmueller</A></P><P>You should try to back trace the clients making the request for the site.&nbsp; They are likely infected with malware.</P></BODY></HTML> Wed, 16 Jul 2014 22:00:45 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2461#M1838 pulukas 2014-07-16T22:00:45Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2462#M1839 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P></P><P>Firewall has inbuilt mechanism to block DNS request for malicious web sites.</P><P></P><P>So, lets say any user tries to access malicious website, which can damage network in future. In that case Firewall will block DNS query, so Connection will never be formed and Network is secure.</P><P></P><P>Moreover administrator get a log, so he can talk to user about malicious access. If user is unaware of such access then his machine is compromised. Let me know if this helps.</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/people/spuluka">steven</A> Bright cloud detects it as malicious, may be we can submit request for PAN-DB to correct category.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 16 Jul 2014 22:04:17 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2462#M1839 hshah 2014-07-16T22:04:17Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2463#M1840 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><A href="https://live.paloaltonetworks.com/u1/19490">hshah</A> -- </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">BrightCloud's categorization is likely incorrect. We've observed the crazytall domains being used to serve ads, which is perfectly legitimate. However, we've also observed malware connecting out to these domains. Thus, we do not categorize the domains as malicious, because they aren't; but we do categorize them as suspicious, because, as <A href="https://live.paloaltonetworks.com/u1/17985">Steven Puluka</A> indicated, accessing them may indicate malware on the endpoint.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">That said, per Steven's submission to Test A Site, "Computer and Internet Info" probably isn't the best categorization. It's worth requesting a review of that, even if the optimal bucket isn't "Malware."<BR /></SPAN></P></BODY></HTML> Wed, 16 Jul 2014 23:22:12 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2463#M1840 cblackmore 2014-07-16T23:22:12Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2464#M1841 <HTML><HEAD></HEAD><BODY><P>Hi Cblackmore,</P><P></P><P>If you think its a legitimate domain, than please submit a URL Category Change request to bright cloud. Follow bellow URL.</P><P><A href="http://www.brightcloud.com/tools/change-request-url-categorization.php" title="http://www.brightcloud.com/tools/change-request-url-categorization.php">URL Categorization Change Request | Webroot BrightCloud</A></P><P></P><P>Once Bright cloud updates URL, firewall will no longer thinks it a malware domain and allow this legitimate traffic.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 16 Jul 2014 23:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2464#M1841 hshah 2014-07-16T23:27:16Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2465#M1842 <HTML><HEAD></HEAD><BODY><P>Hello Craigmueller,</P><P></P><P>Virustotal thinks it as a malicious website, hence most likely bright cloud will not change category. If virustotal think it as a malware, than there is something wrong with the website. Please follow bellow link.</P><P><A href="https://www.virustotal.com/en/domain/blonde.crazytall.com/information/" style="font-size: 10pt; line-height: 1.5em;" title="https://www.virustotal.com/en/domain/blonde.crazytall.com/information/">https://www.virustotal.com/en/domain/blonde.crazytall.com/information/</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 16 Jul 2014 23:29:49 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2465#M1842 hshah 2014-07-16T23:29:49Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2466#M1843 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/19490">hshah</A>,</P><P></P><OL style="list-style-type: decimal;"><LI><A href="https://live.paloaltonetworks.com/u1/28351">craigmueller</A>'s original question was about a DNS signature, not URL Filtering functionality (whether BrightCloud or PAN-DB).</LI><LI>BrightCloud is not a factor in how we generate DNS signatures. Feel free to submit a change request to BrightCloud, but it will not affect our signatures.</LI><LI>VirusTotal does not believe blonde.crazytall.com to be malicious. VirusTotal is simply a data aggregator, and the data it has aggregated shows that <A href="https://www.virustotal.com/en/url/108459681d95e87d245b6dd128bc30526e39866a3d8e632d1aa11ff2bff87bce/analysis/">of 57 URL scanners, none believe this domain to be malicious</A>.</LI></OL><P></P><P>The DNS signature exists for the reasons I stated earlier.</P></BODY></HTML> Thu, 17 Jul 2014 00:25:14 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2466#M1843 cblackmore 2014-07-17T00:25:14Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2467#M1844 <HTML><HEAD></HEAD><BODY><P>I don't think there is a categorization issue.</P><P></P><P>I was really just interested in more information regarding this threat ID.</P><P></P><P>If I am understanding everyone, this seems to be for pop-up ads or malware distribution?</P><P></P><P>If this is posted twice, I apologize. I previously responded, but no longer see it.</P></BODY></HTML> Thu, 17 Jul 2014 16:32:01 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-generic-blonde-crazytall-com-4100529/m-p/2467#M1844 craigmueller 2014-07-17T16:32:01Z