Stats show malware activity but scans find no threat

Comments

20 comments

  • Avatar
    rotblitz

    No next steps.  This alert message indicates that a DNS lookup happened against a malware domain.  A DNS query for a malware domain does not necessarily mean that you have an infection.  Especially not if there is only one or a few lookups.  You could even create such an alert manually by executing e.g. "nslookup aflesministal.info.".

    You may click the red cross to make the alert message at https://dashboard.opendns.com/ disappear and to see if it ever comes up again.

    0
    Comment actions Permalink
  • Avatar
    proof1st

    Thnaks  - I hope that's the case! But I am not really getting an alert - just seeing alot of activity that was not there before - see the screenshot of blocked requests below.

     

    0
    Comment actions Permalink
  • Avatar
    proof1st

    Looks like the image did not attach - Ill try again.




    dnsrequests.GIF
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Well, you said "malware", and these stats do not refer to malware at all.  You must name the things right to get a relevant answer.  Malware is a different settings, not under content filtering, but under security settings at your dashboard.  And nothing with "malware" appears on this picture in your stats.  (It would refer this way.)

    Regarding your picture:  These are the domains being blocked by your category settings, not more, not less.  These domains are being looked up during normal web browsing, and they are being blocked by your OpenDNS settings.  So nothing left to do.  You already get what you want to get.  Also, most of those are not domains an AV/threat cleanup program would complain about.

    0
    Comment actions Permalink
  • Avatar
    proof1st
    Well I thought I described it well, activity that seems to indicate malware.
    The first entry in the screenshot, ib.adnxs.com, which has appeared the most, I thought was potential malware, from Google searching that url.
    The activity isn't from normal web browsing, assuming the dates and time stamps are correct. I can confirm no one was accessing the web at the time.
    Is it possible that malware of some sort can hijack and forward requests to specific sites?
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "activity that seems to indicate malware."

    Adware is not malware - by definition, so actually nothing in your stats indicates malware.

    "The first entry in the screenshot, ib.adnxs.com, which has appeared the most, I thought was potential malware, from Google searching that url."

    Google doesn't know, and the sources may not really be reliable.  Most of them are simple internet visitors, not really skilled and experienced.
    And because the domain is blocked for you, you could not have been able to download any malware (or even adware) from them, so no reason to be worried.  As I said, you already get what you want, and you are protected.

    "The activity isn't from normal web browsing, assuming the dates and time stamps are correct. I can confirm no one was accessing the web at the time."

    These domains definitely come from normal web browsing, as I know from much experience with OpenDNS stats.  And if you think nobody was browsing at this time, you first should check the time zone for your account to possibly correct it:
    https://dashboard.opendns.com/myaccount/timezone
    If it was correct, then someone else may have accessed your LAN, e.g. through an unprotected WLAN AP and the likes.

    "Is it possible that malware of some sort can hijack and forward requests to specific sites?"

    What?  No!  This is not what would make sense.  DNS queries are never ever forwarded to "specific sites", whatever this could mean.  However, malware could raise DNS look-ups with the intent to phone home to download even more malware or to transmit internal information to the outside world.  But as I said, absolutely nothing indicates such behavior in your stats.

    0
    Comment actions Permalink
  • Avatar
    proof1st

    Ok thanks for the info. The time zone is correct. I believe my wireless LAN is secure.

    Regarding the last point about hijacking - I had heard it described from various sources as similar to this:

    "A browser hijacker is a type of malware program that alters your computer's browser settings so that you are redirected to Web sites that you had no intention of visiting."

    You're saying something like that is not possibly happening here?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    How would you be able to see something in your stats if this would be hi-jacked and redirected to somewhere else?  This does not make sense, because it would be contradictory by itself.

    Also, DNS is not configured in the browser (you should know, because you configured OpenDNS, not in the browser, right?), but this malware "alters your computer's browser settings".  This is again contradictory.

    I really do not understand what concerns you have.  You said you saw malware domains in your stats which is simply not true.  And you said you see stats where you haven't been surfing the web which is likely not true either, because you can't obtain the time stamp from the domain stats.  It seems your problem is that you're just too hypersensitive and too diffusely anxious...

    Again, I do not see any reason for concerns in your case.  Be happy and live on!  Your pessimism is no good for you.  And I'm leaving this fruitless discussion.

    0
    Comment actions Permalink
  • Avatar
    proof1st

    Thanks  for t he help - and the entertainment too! You are quite a trip.

    If a malicious program were to hijack the browser and redirect it to another site, yes, that site would show in the dns stats. It would appear as what you are calling "normal" web browsing. Nothing to do with how dns is set up.

    And when in chart view, you can see the time of the activity, as in the attached.

    Your knowledge is a great resource to this community,  but you appear to know enough to confuse yourself at times. :)

    But the free psychoanalysis is much appreciated!




    total-req-2014-12_2015-01.GIF
    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I didn't intend to continue here, but I will do nevertheless for the sake of clarity.

    "If a malicious program were to hijack the browser and redirect it to another site, yes, that site would show in the dns stats."

    No, exactly this not.  These threats redirect the browser to a malicious proxy, i.e. the browser's proxy settings are changed unnoticed, and from this point the system's DNS settings (e.g. OpenDNS resolvers) are no longer used, but the DNS configured at the remote proxy server is in effect which is certainly not OpenDNS.  No matter, you'll not see anything of this in your OpenDNS stats then.

    "Nothing to do with how dns is set up."

    You're right.  This is what I meant by "DNS is not configured in the browser".

    "And when in chart view, you can see the time of the activity, as in the attached."

    Yes, the overall DNS activity.  You never know what domain name (from your first screen shot) was queried at what time, you only see the total DNS traffic from your second screen shot.  As you traffic is rather large (as from a business, not home), you really do not know what domain was requested at what time.

    0
    Comment actions Permalink
  • Avatar
    proof1st
    Excellent, now we are getting somewhere!
    Thanks for setting me straight on how redirects work.
    You say the traffic is rather large (as from a business, not home), yet this is a home, only 3 adult users, working away from the home during the day. I don't believe we are power users by any means.
    Surely this level of activity I'm seeing means something is amiss?


    0
    Comment actions Permalink
  • Avatar
    Alexander Harrison

    While there is a ton of activity over certain days, the traffic may be generated by visiting very complex websites that contain hundreds of DNS requests to view a couple pages. I'm not seeing anything at the moment that stands out as malicious. Note if you use one of those browser addons to search and verify websites, it's possible that this generates a ton of extra DNS requests. Chrome is also known to generate a ton of extra requests in certain situations as Google search results are pre-cached and loaded without being visited. 

    0
    Comment actions Permalink
  • Avatar
    proof1st
    Ok thanks for the info. I'll check out browser add ons. avast anti virus latest update added a plug in to my browser, maybe that's it.
    0
    Comment actions Permalink
  • Avatar
    ericsolo1

    I have same issues with unknown requests. I say unknown because on days when no one is home for over 24 hours there is multiple blocked requests flagged as adware,porn,file sharing that no human being on our network could be making. I have verified all wireless devices on my network as well as wired so there is no one accessing our network. These requests cant be "Normal" web browsing and have to be software generated. Are they malware such as botnets generating DNS requests or something the browser is doing I dont' know. The site ib.adnx.com is a pop up virus and I have over 100 requests blocked daily.

    1
    Comment actions Permalink
  • Avatar
    ericsolo1

    The domain ib.adnx.com is a legit advertising platform,but used by adware to display popups and banner ads that I guess must be removed by deleting the affected program. It was interesting to read that many of the requests can come from multiple sources on a single web site. I guess I need to understand a request is not just some one entering a site in the browser window but can be generated many other ways. It's just troubling to see requests for porn sites or peer to peer file sharing when those are the main reason I installed Open DNS after finding our children going to these sites. If they picked up some type of re-direct code we have no one to blame but ourselfs. I appreciate all the input.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    If OpenDNS is blocking requests to those types of domains, then it is doing precisely what you wanted it to do. Why would you be troubled if it's doing what it is supposed to do?

    Just because you see an adware domain being blocked does not mean that you have an infection or someone is visiting a website you don't want them to. It just means that something is trying to do a look up on that domain. Typical advertising on any website could very easily be doing that and and OpenDNS is blocking the lookup, which is how OpenDNS should work, and prevents that content from being accessed on your network and prevents potential infections from getting a foothold.

     

    If you are concerned about the domains that ib.adnx.com is providing advertisements for you should blacklist that domain, although there is a possibly that it will break websites that are using the ad engine.

    If you have convinced yourself that malware is present in your network you should 1) change the WiFi passphrase in case someone is using your network that you don't wnat on it 2) shutdown, disconnect, or unplug *all* internet connected devices when no one is there, such as computers, tablets, mobile phones, Roku's, SmartTV's etc. If no one is there for longer than 2 days and there is still internet activity then you have evidence that someone who is not supposed to be using your network is using it 3) thoroughly scan all devices with multiple pieces of malware detection software in addition to your regular antivirus software 4) confirm that the time zone setting in your OpenDNS account matches the time zone you are in and matches that set on your devices 5) hire an IT/security professional to make a thorough examation of your network and all devices connected to it to find and remove all malware that is present and prevent future infections

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @ericsolo1
    Look, if you didn't use OpenDNS, you would be aware in no way about your DNS queries and you wouldn't care at all.  Now, that you know and that these offending DNS queries are even blocked, why do you care?

    "These requests cant be "Normal" web browsing and have to be software generated."

    Yes, of course, DNS queries are never human generated (unless one uses dig, nslookup, host and the likes), but always networking application generated.  Pretty clear!

    "I guess I need to understand a request is not just some one entering a site in the browser window but can be generated many other ways."

    Yes, and tools like http://www.nirsoft.net/utils/dns_query_sniffer.html or www.webpagetest.org can help here.  For the latter, after the results are collected, click the Domain tab to see what domains are participating.  This can be dozens for a web page.

    "It's just troubling to see requests for porn sites or peer to peer file sharing when those are the main reason I installed Open DNS after finding our children going to these sites."

    Yes, but these are being blocked according to your stats, are they?  So, why are you worried?  As Matt Wilson said, you exactly get what you expected!

    0
    Comment actions Permalink
  • Avatar
    ericsolo1

    Thanks for the leads,Ill check these resources out. I could rack my brain with adding computer sciences knowledge until it pushes out the stuff I need for my field,or I could retire this paranoia and move on to something more productive. Seriously though this input has been incredibly interesting and leaves me wanting to learn more. From a service point of view the response from staff and community of Open DNS has been very impressive. I will upgrade to paid level out of shame.

    0
    Comment actions Permalink
  • Avatar
    mfuhr

    Thanks for the discussion - I have the same issue, only when I iunplug all my devices it still shows queries from load.exelator and loadr.exelator - and in regard to being bothered by the blocked porn requests I am glad they are being blocked but potentially disturbed if my kids are making those requests.  I'm pretty convinced they are not, but who would it be and why would my system be making porn requests when nobody is even home?

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "it still shows queries from load.exelator and loadr.exelator"

    These are not public DNS names, or did you mean load.exelator.com and loadr.exelator.com?  These are domains used by a provider exelate.com to utilize their services on other websites, like marketing, advertising and tracking.  This website has a lousy reputation:
    https://www.mywot.com/en/scorecard/exelate.com
    See also http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/what-is-loadjs-from-loadmexelatorcom/12b1d9dc-642f-449d-baf6-a9aadae91dad?auth=1
    And if you have the Adware category blocked, these domains will be blocked too:
    https://community.opendns.com/domaintagging/search/?q=exelator.com

    "in regard to being bothered by the blocked porn requests I am glad they are being blocked but potentially disturbed if my kids are making those requests.  I'm pretty convinced they are not"

    If you followed the discussion above thoroughly, you knew that DNS lookups are not raised by humans inc kids, but by networking applications and devices anyway.  So yes, you're right, these aren't your kids or anybody else unless they did enter DNS lookup commands against these domains all the time.

    "who would it be and why would my system be making porn requests when nobody is even home?"

    Not "who", but "what" is the question.  And nobody can answer your question but you.  You may have overseen devices which are still switched on, including your router, or you may have set a wrong time zone as mentioned above too, or someone has access to your internet connection from inside your LAN, e.g. via an unsecured or hacked WLAN AP, or someone has remote access to a device within your network.

    0
    Comment actions Permalink

Please sign in to leave a comment.