Torpig Phone home DNS request

thandlon — Wed, 18 Jul 2012 19:51:25 GMT

Been seeing lots of detection for this threat, but the attackers are external and are trying to reach our internal DNS servers. We have checked those dns servers along with going over other traffic and AV consoles looking for bots/trojans. Any ideas why I would be seeing the Torpig phone home dns request threat from outside attempting to reach internal dns servers?

Re: Torpig Phone home DNS request

mikand — Wed, 18 Jul 2012 21:47:59 GMT

If outside means Internet then you will most likely see all sort of shit thats out there.

It seems not uncommon that the noise level on the Internet (various bots and other junk) is 1-3kbit/s per ipaddress (based on own experience, might vary in your area 😉

So in your case if some internet ipaddresses tries to get to your DNS servers (which happends to have public ip's but security rules will block incoming requests from Internet) then you can use tcpdump through your internet router to verify the content of these packets and if you belive they are false positives then send it to the appid team?

topic Torpig Phone home DNS request in General Topics

Torpig Phone home DNS request

Re: Torpig Phone home DNS request