Nxfilter blocking long TXT domain names (malware/botnet?)

[Jared Scott]

Hey guys,

I read that txt requests are often from malware or botnets and I am seeing a ton of those coming from my wifes PC, here they are:

olwcuaacaakpjnqhaeaaaagsaqaaabxbxbvvb3ffanwfnuidafcbacigaaaaakg.ofsoaaaalaafaa.a.j.e5.sk yyisuaacaakbc65daeaaaagsaqaaabxbxbvvb3ffanwfnuidafcbacigaaaaakg.ofsoaaaalaafaa.a.j.e5.sk inacuaacaakndur7aeaaaagsaqaaabxbxbvvb3ffanwfnuidafcbacigaaaaakg.ofsoaaaalaafaa.a.j.e5.sk

Can anyone shed some light on this?

Thanks a mil,

Jared

[Jinhee]

Yeah, NxFilter blocks it when you enable 'Block covert channel' on the policy.
Don't know what it is. But something is having a communication channel using TXT record.

Jinhee

[Jared Scott]

Yeah I am glad that it is, just wondering what the next step should be.

I have heard that dropbox sometimes sends these, will have to investigate further.

Thanks

Jared

[Jinhee]

I also use dropbox. But never seen it any txt record blocked.
Could be from real botnet or malware.
One of the users once found a virus infection on his network.
He had a big difference between request-count and request-sum.

Jinhee

[mark page]

The logs will have the full domain name. I see these on my network, but they're usually from users who have Republic Wireless or another such carrier that uses WiFi for voice data.

Mark

[Jinhee]

@Mark

Yeah, there could be false positives. Actually I was worrying about that false positive problem when I first came up with the idea of detecting botnet/malware on DNS level.
You can bypass it using whitelist but you don't want to do that sometimes because it also bypasses other filtering options. So I added one more that's bypassing this
packet inspection for 30,000 well known websites. I thought it might not be enough number but. I didn't want to include too big file. So it became 30,000. Good thing is
that you can add domains by yourself as well. The file is /conf/wknown.txt.

Maybe we need to add those wireless company domains to the file.

Jinhee

[Jared Scott]

Thanks for the quick responses! I dont use anything like that at home (just have a plain old telephone line with a DSL router) so I think it might be malware (which in that case, nxfilter has impressed me once again. Which reminds me, I will be posting those reviews soon, apologies for the delay).

@Mark, I will check the logs a little later, thanks for pointing them out. :)

[mark page]

I don't use the "Detecting botnet communication" or "Block covert channel" options in my policies, but I did have to tweak the "Max domain length" to 253 allow these to get through. That number is based on RFC1035 which states that the maximum FQDN length should be 255 octets (http://tools.ietf.org/html/rfc1035). But in actuallity, there's an understood trailing dot with trailing zero-byte encoding for the dot, meaning you're really looking at 253 octets for the FQDN.

Mark

[Jinhee]

Yeah, 64 is just the default value for that. If it's too big nobody gets blocked. And we would never know if it works or not. Having false positives itself is OK.
Only how many we have would be an issue. And plus I tried to allow NxFilter making more false positives so that people seeing it doing its job. But if it's
too noisy maybe we should rethink about it.

Jinhee