Today I was performing Windows update it said that it needs to get two mandatory update I clicked on Okay and I was watching my SNORT IDS. I saw two " FILE-IDENTIFY Portable Executable binary file magic detection" alerts in them what scared me was that they were from my ISP :-0. I know that we don't have any Micros0ft office in an around my place.
So I went to my windows machine and typed in netstat -aon sure enough I can see two established connection to the IP 122.165.249.90
Next I clicked on the first IDS alert and found that it was trying to resolve dns.msftncsi.com and it resolves to the IP Address: 131.107.255.255. This increased my doubt, however drilling further down. I started running PCAP and restarted my Windows machine. I found that a second DNS query went out to download.windowsupdate.com which has a CNAME as shown below and my system at last ended up downloading from 122.165.xxx.xxx :-)
bala@bala-laptop:~$ nslookup download.windowsupdate.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
download.windowsupdate.com canonical name = download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net canonical name = main.dl.wu.akadns.net.
main.dl.wu.akadns.net canonical name = intl.dl.wu.akadns.net.
intl.dl.wu.akadns.net canonical name = dl.wu.ms.geo.akadns.net.
dl.wu.ms.geo.akadns.net canonical name = a26.ms.akamai.net.
Name: a26.ms.akamai.net
Address: 122.165.249.90
Name: a26.ms.akamai.net
Address: 122.165.249.91
So I went to my windows machine and typed in netstat -aon sure enough I can see two established connection to the IP 122.165.249.90
| ID | < Signature > | < Timestamp > | < Source Address > | < Dest. Address > | < Layer 4 Proto > | |
| #0-(5-49658) | [snort] DNS SPOOF query response with TTL of 1 min. and no authority | 2012-02-24 05:38:37 | 192.168.1.1:53 | 192.168.56.200:57649 | UDP | |
| #1-(5-49659) | [snort] FILE-IDENTIFY Portable Executable binary file magic detection | 2012-02-24 05:39:33 | 122.165.249.90:80 | 192.168.56.200:49160 | TCP | |
| #2-(5-49660) | [snort] FILE-IDENTIFY Portable Executable binary file magic detection | 2012-02-24 05:39:34 | 122.165.249.90:80 | 192.168.56.200:49161 | TCP |
Next I clicked on the first IDS alert and found that it was trying to resolve dns.msftncsi.com and it resolves to the IP Address: 131.107.255.255. This increased my doubt, however drilling further down. I started running PCAP and restarted my Windows machine. I found that a second DNS query went out to download.windowsupdate.com which has a CNAME as shown below and my system at last ended up downloading from 122.165.xxx.xxx :-)
bala@bala-laptop:~$ nslookup download.windowsupdate.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
download.windowsupdate.com canonical name = download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net canonical name = main.dl.wu.akadns.net.
main.dl.wu.akadns.net canonical name = intl.dl.wu.akadns.net.
intl.dl.wu.akadns.net canonical name = dl.wu.ms.geo.akadns.net.
dl.wu.ms.geo.akadns.net canonical name = a26.ms.akamai.net.
Name: a26.ms.akamai.net
Address: 122.165.249.90
Name: a26.ms.akamai.net
Address: 122.165.249.91
No comments:
Post a Comment