3 replies to this topic

[highplains]

So, Im a new security person at my company. I check through the firewall logs a few times a week looking for odd things.

I searched for dns queries going straight out to internet from our clients (as they should never do that, they should only go to internal DNS servers)

I found a PC making dns queries out to 4 diff dns servers (we deny the requests). Then another PC and now I have a thrid PC making these requests.

Neither ForeFront, MalwareBytes, our IDS or ComboFix detected anything when we scanned with them. In every case so far we have reimaged. I have an infected laptop at my desk but i have not done any analysis yet.

I cant find much info via Google. Is this something new that isnt on anyones radar yet?

All I know is my clients PCs should NOT be making requests out to odd dns servers, so its mal/ad/spyware.

Heres the dns server they reach out to
176.74.176.170 sell.internettraffic.com
176.74.176.169
208.87.35.120 buy.internettraffic.com
208.87.35.121

hxxp://internettraffic.com/ - very ambiguous - no idea what "service" is being provided
hxxp://www.malwareurl.com/ns_listing.php?ns=buy.internettraffic.com

[highplains]

sry, i should have posted this in the Research Center section.

Im sure an admin will be kind enough to move this thread

[highplains]

now ive got another person with this.. sigh
sry about being a noob, ill get the sans sift kit or something and try to find a sample binary i can submit.

[S!Ri]

Hi,

Looks like you posted your issue in the wrong forum

If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.