PA-3050 detected dns queries to malicious URL but all other anti-malware detected none

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-3050 detected dns queries to malicious URL but all other anti-malware detected none

L1 Bithead

The Palo Alto device is saying that a workstation on the network is querying the DNS server for some malicious URLs for some of the dates and some of the time.

Full scan using McAfee VSE, Microsoft Safety Scanner, Malwarebytes, Spybot, said no malware detected.

Using McAfee Getsusp I upload 40 suspicious and unknown files, analysed in McAfee lab – no malware detected. McAfee put these files under Virus Total, antivirus from 57 different vendors all say ‘clean’.

 

The log that says detection of malicious URL:

Receive TimeThreat/Content TypeGenerate TimeRuleApplicationVirtual SystemSource ZoneDestination ZoneSource PortDestination PortIP ProtocolActionURLThreat/Content NameCategorySeverityDirection 
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert P2P-Worm.palevo:brero.balkan-hosting.net(3839431)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert P2P-Worm.palevo:brero.balkan-hosting.net(3839431)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349)anymediumclient-to-server

I really don't know how to close this case. Who is right and how to prove either of the anti-malware wrong?

The workstation in question is a Windows 7 machine, the whole network is isolated (meaning no Internet access). The DNS server is Windows 2012, it is AD-integrated, no access to Internet. The workstation has McAfee VSE 8.8 and is definitions updated everyday. It also has McAfee HIPS, Solidcore, DLP and RSD.

13 REPLIES 13

L7 Applicator

If this is something that is happening repeatedly, you could use a tool like "Microsoft Message Analyzer" to try and map the process on the Windows 7 system making the DNS query for the suspicious domain.  

 - https://www.microsoft.com/en-us/download/details.aspx?id=44226  (download link)

 - https://technet.microsoft.com/en-us/library/jj649776.aspx  (operating guide)

 

I will say that the Microsoft Message Analyzer is a very powerful tool (translate: difficult to use).  In fumbling around with it I was able to map a DNS lookup (mail server) to the requesting process (outlook.exe) - but don't ask me how I did it.  

 

If anyone has a better method of mapping a client DNS lookup to a specific process, I'd love to hear about it.  Good luck.  

Thanks. I had actually used Microsoft Message Analyzer to try to capture any DNS query traffic but after 3 days of sniffing I wasn't able to capture anything, no dns query at all. So, there must be something I didn't do correctly or the software need something special action.

@SingChung,

One thing that I would look at in the logs is what exactly the URL is that they are trying to access. I would say that most of the alerts that I recieve from this are generated by the user navigating to a website with less than perfect advertisement sources. If that doesn't work then Message Analyzer is probably your best bet, but it is a very very difficult tool to actually understand how to use. 

If all else fails make the user use another machine temporarly, say a day or two, so that you can 'look' at their current machine. See if the alerts change to the new machine or not; that would at least tell you if it's something they are doing or if it's truly a machine action. 

BPry,

 

From the log, I guess these are the URLs:

brero.balkan-hosting.net

banjalucke-ljepotice.ru

 

The enironment is isolated, the user won't be able to go Internet. Therefore it is unlikely that the user has access website that contains hiding malicious advertisements.

 

The machine is already put offline and user not using it. I am currently working on a virtual clone of the machine in my Hyper-V environment. So, far I can't find anything suspicious on the machine.

 

Is it that there is no possibility the Palo Alto device is generating false positives?

 

I analyzed the user logon and logoff events, I notice something interesting.

The Palo Alto detection has some relationship with user logon events. Whenever there is a interactive logon (at console or rdp), it was followed by a 3 minutes detection of malicious URL dns queries. The machine itself we can safely say no malware. The funny part is why there is always a detection for 3 minutes of same pattern whenever a user logs on. A check in Windows scheduler, these are programs that are scheduled to launch whenever a user logons on: Lenovo Solution Center, Lenovo Message Center Plus, Office Telemetry Agent, Realtek Lenovo MICPKey, Realtek Control Panel.

 

If user logs on but logoff in 2 minutes, it won't detect such malicious query (probably because the scheduled programs haven't finished starting up). So, it is evidence that one or more of these logon starting programs is doing some dns queries when starting up (perhaps to check for updates) but Palo Alto device read them as malicious. 

 

Is there a way for me to prove if the detections were indeed false positives?

@SingChung,

You would need to capture the URL requests that the machine is actually using something like Fiddler2 or a debugging proxie like Charles Web Debugging Proxy. I would say that it probably isn't a false positive. It's pretty simple for the Palo Alto to read the URL that was requested, so you don't usually actually see false positives with URL detection. 

I managed to capture the malicious dns query. I enable the dns client event logging, logged off, then log on. The event id 1015:

_______________________________________________________________________________________________________________

- System

- Provider

[ Name] Microsoft-Windows-DNS-Client
[ Guid] {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}

EventID 1015

Version 0

Level 4

Task 0

Opcode 0

Keywords 0x8000000000000000

- TimeCreated

[ SystemTime] 2017-12-26T02:28:55.443725400Z

EventRecordID 712

Correlation

- Execution

[ ProcessID] 1468
[ ThreadID] 4328

Channel Microsoft-Windows-DNS-Client/Operational

Computer (removed due to confidentiality)

- Security

[ UserID] S-1-5-20

- EventData

QueryName kreten.banjalucke-ljepotice.ru
AddressLength 28
Address 170000350000000024063003200200055AEF68FFFE249F2600000000

________________________________________________________________________________________

 

I can track down to process DNS Client as the querying process. unable to track which process asked the DNS client to do the query.

 

From the timing of the query, and the running of the scheduled tasks triggered by user logon, there are only these possibilities:

1. HotStart

2. CacheTask

3. OfficeTelemetryAgentLogOn

4. SystemSoundsService

 

All these are Microsot system tasks.

 

@SingChung,

Scheduled tasks can be hijacked fairly easily. I would actually audit the task and make sure that they don't include a new call to this domain; my guess would be that the task itself has been hijacked and is now doing something with that domain. 

@SingChung,

You might want to check out this as well. It directly references that URL, along with showing the Reg keys that it creats in Winlogon. Might want to verify that it isn't what you are looking for. 

 

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Palev-Gen/detaile...

I used Sysinternals' Autoruns to check the running processes and try to figure out which is is making the queries. I check all the processes against VirusTotal, a convenient features built-in to Autoruns. Ok, all turned up clean except Baidu says the process Lenovo Registration contains Win32.Trojan.WisdomEyes.16070401.9500.9777.

 

I turned off all the 'logon' processes and all scheduled tasks, restarted, logon, then check the DNS event logs, still the querying to Brero.balkan-hosting.net and kreten.banjalucke-ljepotice.ru happened. So none of the logon process or scheduled tasks are calling these URLs. If malware trying to hijack the logon-to-start registry keys and scheduled tasks, this should have been detected.

 

So far I had used McAfee VSE, Microsoft Safety Scanner, Malwarebytes, Ad-aware, Spybot to do full scan, all say clean. Now I am running Karpaskey full scan.

 

In Threatminer.og, I checked for the domains which Palo Alto says are malicious - Brero.balkan-hosting.net, Banjalucke-ljepotice.ru,  Dzaba.cultarts.com – all of them not malicious though the domain banjalucke-ljepotice.ru contains subdomains property.banjalucke-ljepotice.ru and pica.banjalucke-ljpepotice.ru, that are malicious and related to rimecud and palevo viruses.

I also will be checking other similar workstations to see if they too query these so call 'malicious' URLs.

To add-on, the WindowsNT\CurrentVersion\Winlogon key doesn't contain any reference to huuo.exe or mrpky.exe.

Karpesky antivirus after 5 days of full scan, also says no threat found.

L1 Bithead

I know it's old but this might help someone troubleshooting. Install Sysmon. It's free from Microsoft and is much more extensive in logging. Make sure event ID 22 is enabled. It'll log all DNS quires and their corresponding processes.

 

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

 

  • 6812 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!