PA-3050 detected dns queries to malicious URL but all other anti-malware detected none

cancel
Showing results for 
Search instead for 
Did you mean: 

PA-3050 detected dns queries to malicious URL but all other anti-malware detected none

L1 Bithead

The Palo Alto device is saying that a workstation on the network is querying the DNS server for some malicious URLs for some of the dates and some of the time.

Full scan using McAfee VSE, Microsoft Safety Scanner, Malwarebytes, Spybot, said no malware detected.

Using McAfee Getsusp I upload 40 suspicious and unknown files, analysed in McAfee lab – no malware detected. McAfee put these files under Virus Total, antivirus from 57 different vendors all say ‘clean’.

 

The log that says detection of malicious URL:

Receive TimeThreat/Content TypeGenerate TimeRuleApplicationVirtual SystemSource ZoneDestination ZoneSource PortDestination PortIP ProtocolActionURLThreat/Content NameCategorySeverityDirection 
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert P2P-Worm.palevo:brero.balkan-hosting.net(3839431)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert P2P-Worm.palevo:brero.balkan-hosting.net(3839431)anymediumclient-to-server
12/3/2017 13:56spyware12/3/2017 13:56POC Alert Alldnsvsys1TapZone2TapZone25530553udpalert Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349)anymediumclient-to-server

I really don't know how to close this case. Who is right and how to prove either of the anti-malware wrong?

The workstation in question is a Windows 7 machine, the whole network is isolated (meaning no Internet access). The DNS server is Windows 2012, it is AD-integrated, no access to Internet. The workstation has McAfee VSE 8.8 and is definitions updated everyday. It also has McAfee HIPS, Solidcore, DLP and RSD.

12 REPLIES 12

I used Sysinternals' Autoruns to check the running processes and try to figure out which is is making the queries. I check all the processes against VirusTotal, a convenient features built-in to Autoruns. Ok, all turned up clean except Baidu says the process Lenovo Registration contains Win32.Trojan.WisdomEyes.16070401.9500.9777.

 

I turned off all the 'logon' processes and all scheduled tasks, restarted, logon, then check the DNS event logs, still the querying to Brero.balkan-hosting.net and kreten.banjalucke-ljepotice.ru happened. So none of the logon process or scheduled tasks are calling these URLs. If malware trying to hijack the logon-to-start registry keys and scheduled tasks, this should have been detected.

 

So far I had used McAfee VSE, Microsoft Safety Scanner, Malwarebytes, Ad-aware, Spybot to do full scan, all say clean. Now I am running Karpaskey full scan.

 

In Threatminer.og, I checked for the domains which Palo Alto says are malicious - Brero.balkan-hosting.net, Banjalucke-ljepotice.ru,  Dzaba.cultarts.com – all of them not malicious though the domain banjalucke-ljepotice.ru contains subdomains property.banjalucke-ljepotice.ru and pica.banjalucke-ljpepotice.ru, that are malicious and related to rimecud and palevo viruses.

I also will be checking other similar workstations to see if they too query these so call 'malicious' URLs.

To add-on, the WindowsNT\CurrentVersion\Winlogon key doesn't contain any reference to huuo.exe or mrpky.exe.

Karpesky antivirus after 5 days of full scan, also says no threat found.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!