Suspicious DNS Query (generic:blonde.crazytall.com)(4100529)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suspicious DNS Query (generic:blonde.crazytall.com)(4100529)

Not applicable

Does anyone have a link to more information regarding this threat ID ?

I have searched PA's support site and the internet, and have had no luck.

Thanks!!

9 REPLIES 9

L6 Presenter

Hi Craig,

Blonde.crazytall.com is a malware site, when a user/spyware tried to do DNS lookup firewall just blocked DNS. Which in turn subsequent conversation. Let me know if this helps.

Capture.PNG

Please refer following document for more detail on log.

How to Create a Custom Report for Suspicious DNS Queries

Regards,

Hardik Shah

Thank you for the quick response.

Unfortunately, I do not fully understand your explanation.

hshah

Looks like there is an issue with the Test A Site database.  I just ran this on the PA research center and it shows clean as computer category.

blondecrazytall.png

craigmueller

You should try to back trace the clients making the request for the site.  They are likely infected with malware.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Craig,

Firewall has inbuilt mechanism to block DNS request for malicious web sites.

So, lets say any user tries to access malicious website, which can damage network in future. In that case Firewall will block DNS query, so Connection will never be formed and Network is secure.

Moreover administrator get a log, so he can talk to user about malicious access. If user is unaware of such access then his machine is compromised. Let me know if this helps.

steven Bright cloud detects it as malicious, may be we can submit request for PAN-DB to correct category.

Regards,

Hardik Shah

hshah -- BrightCloud's categorization is likely incorrect. We've observed the crazytall domains being used to serve ads, which is perfectly legitimate. However, we've also observed malware connecting out to these domains. Thus, we do not categorize the domains as malicious, because they aren't; but we do categorize them as suspicious, because, as Steven Puluka indicated, accessing them may indicate malware on the endpoint.


That said, per Steven's submission to Test A Site, "Computer and Internet Info" probably isn't the best categorization. It's worth requesting a review of that, even if the optimal bucket isn't "Malware."

Hi Cblackmore,

If you think its a legitimate domain, than please submit a URL Category Change request to bright cloud. Follow bellow URL.

URL Categorization Change Request | Webroot BrightCloud

Once Bright cloud updates URL, firewall will no longer thinks it a malware domain and allow this legitimate traffic.

Regards,

Hardik Shah

L6 Presenter

Hello Craigmueller,

Virustotal thinks it as a malicious website, hence most likely bright cloud will not change category. If virustotal think it as a malware, than there is something wrong with the website. Please follow bellow link.

https://www.virustotal.com/en/domain/blonde.crazytall.com/information/

Regards,

Hardik Shah

hshah,

  1. craigmueller's original question was about a DNS signature, not URL Filtering functionality (whether BrightCloud or PAN-DB).
  2. BrightCloud is not a factor in how we generate DNS signatures. Feel free to submit a change request to BrightCloud, but it will not affect our signatures.
  3. VirusTotal does not believe blonde.crazytall.com to be malicious. VirusTotal is simply a data aggregator, and the data it has aggregated shows that of 57 URL scanners, none believe this domain to be malicious.

The DNS signature exists for the reasons I stated earlier.

Not applicable

I don't think there is a categorization issue.

I was really just interested in more information regarding this threat ID.

If I am understanding everyone, this seems to be for pop-up ads or malware distribution?

If this is posted twice, I apologize. I previously responded, but no longer see it.

  • 4958 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!