topic Re: Hi in Network Security

What does "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)" mean?

rweir0001 — Sun, 10 Mar 2019 13:38:39 GMT

I have a Cisco ASA5516x w/ FirePOWER with an IPS license installed and I am trying to determine what this Impact 1 alert means:

BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)

The source looks like it is coming from DNS servers on the internet:

208.67.220.220

208.67.222.222

4.2.2.6

204.117.214.10

The destination is our domain controllers that are configured to be our DNS servers. I'm just trying to figure out what this alert really means? The classification is "A Network Trojan was Detected", but does that mean that a user tried to resolve a DNS record to a site that has been flagged as malicious, or that they have malware on their PC that is trying to connect a Command & Control server out in the wild? To be clear the ingress for these alerts are out Outside interface and the egress is our Inside interface. If anyone can provide a clear explanation for these alerts it would be greatly appreciated. Thanks!

Hi

yogdhanu — Wed, 06 Jul 2016 00:19:35 GMT

It does not necessarily mean that the PC or DC are infected. This rule is for reverse DNS lookup.

With the source and destination, it could just be a packet which is the reply of reverse DNS lookup request . Now why would that request be sent in first place is an question and worth investigation.

flow:to_client; content:"|07|spheral|02|ru|00|"; fast_pattern:only;

You can check download packet capture in the rule event and check the IP address for which is resolved for spheral.ru and then identify which PC initiated the request.

Sometimes it could be an AV or security product trying to do reverse DNS lookup for a suspicious IP.

Rate if helps.

Yogesh

Thanks, Yogesh!

rweir0001 — Wed, 06 Jul 2016 14:17:00 GMT

Thanks, Yogesh!

We've been getting similar

JBL0w3ryLLC — Fri, 26 Aug 2016 15:13:29 GMT

I had posted briefly that we began seeing additional, internal logs regarding these reverse DNS queries, but Solarwinds support said they were just internal DNS queries that resulted from the syslogs sent from FireSight. I still suggest careful vigilance, as always.

Re: Hi

pahsative — Thu, 12 Oct 2017 18:19:47 GMT

If the packet is dropped, how can I confirm that another sercurity tool or AV is responsible for the reverse DNS lookup?

Re: Hi

tjohnson@reliant-cap.com — Mon, 24 Sep 2018 14:14:46 GMT

How do you identify which PC initiated the DNS request?