App generating random DNS queries
I started seeing some strange DNS requests in my BIND logs recently. Queries for random-looking domains all following a similar pattern.

Examples:
www.xn--zalgo302112-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com
www.xn--zalgo267819-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com
www.xn--zalgo387992-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com

I've googled but couldn't find much. Has anyone else something seen this?

It looked at first glance like maybe a part of a botnet avoiding detection by using a random domain generation algorithm like Zeus or Conficker to attempt connections to C&C servers. Also strange is that these were decoded ASCII for internationalized domain names. The reference to 'zalgo' could be an internet meme, also coincidentally the name of a Unicode text generator.

I tracked the source of the queries to a user's Windows laptop. User was running a seemingly legitimate wifi hotspot locating application that he downloaded once while traveling. Every time the application ran at startup and about every hour while it ran it queried these random hostnames, in addition to making some successful http connections to hosts like alive.real-application-domain.com and check.real-application-domain.com (I don't want to out the application name until I know more).

The application exe and dlls were signed and check out OK with virustotal. I wasn't able to capture any packets for connections to the remote hosts to see what the app might have done, since none of the attempted hostnames were found in DNS.

The threat has been neutralized but I'm still very suspicious about this behavior. Would there be any legitimate reason for an application to generate these kinds of DNS hostname requests? I have not contacted vendor support, since I doubt I'd get very far with them without being a paying customer.
Tom

5 Posts
The domain names are "punnycode" encoded, which means they are international domain names. The way puny code encoding works is that you always start with "xn--" then all the english characters, then a - and finally all the international characters encoded. Verisign has a nice decoder: mct.verisign-grs.com

However, the domain names you are listing above don't decode to anything useful, and they also don't exist. So I would think this is some kind of malware exfiltrating data or looking for a c&c server.


odd...
Johannes

4549 Posts
ISC Handler
Odd indeed. I can't find any evidence of malware, I'm starting to believe this is just how the application behaves.

I set it up in a test environment with a server running dnsmasq to reply to the queries with a IP address of a server I run, to see if I could log any connections. But all it does is query the bogus hostnames, it doesn't attempt to connect. It also queries for google.com and example.com. It may just be some sort of test process.

I'll probably run some more captures tomorrow but so far it looks benign.
Tom

5 Posts

Sign Up for Free or Log In to start participating in the conversation!