Suspicious DNS Queries

Windows specific questions, problems.
Post Reply
busthead
Newbie
Newbie
Posts: 7
Joined: Sat Sep 30, 2017 10:01 pm

Suspicious DNS Queries

Post by busthead »

Starting this week every time I launch qBittorrent my network IDS picks up a suspicious DNS query for a .tk .top or .pw domain.

Strangely, the DNS requests are sent to my internal server even when the host is connected to VPN.

A pre-boot malware scan did not detect anything malicious.

The issue persists after upgrading to the latest version of qBittorrent.

Are these the expected hashes for v4.3.3:

C:\Program Files (x86)\qBittorrent>fciv -md5 qbittorrent.exe
650e716e09b86e8300dddd0d55baae96 qbittorrent.exe

C:\Program Files (x86)\qBittorrent>fciv -md5 qbittorrent.pdb
f5aa356d0874f9e8691b37533143cd46 qbittorrent.pdb
User avatar
Peter
Administrator
Administrator
Posts: 1952
Joined: Wed Jul 07, 2010 6:14 pm

Re: Suspicious DNS Queries

Post by Peter »

Could be tracker connections? I mean, if you try and just open qBittorrent without any torrent running/being active, I don't think it'll make any such connections.
busthead
Newbie
Newbie
Posts: 7
Joined: Sat Sep 30, 2017 10:01 pm

Re: Suspicious DNS Queries

Post by busthead »

If 'Options-Advanced-Network interface' is set to my VPN connection, should tracker connections be sent to the DNS server of the underlying LAN?

I installed Malwarebytes and it detected two connections to Trojan/Compromised sites with no torrents enabled (all paused):

Code: Select all

-Website Data-
Category: Trojan
Domain: 
IP Address: 59.96.37.32
Port: 39240
Type: Outbound
File: C:\Program Files (x86)\qBittorrent\qbittorrent.exe

-Website Data-
Category: Compromised
Domain: 
IP Address: 59.92.182.118
Port: 11999
Type: Outbound
File: C:\Program Files (x86)\qBittorrent\qbittorrent.exe
Can you please verify or provide the hashes of your qbittorrent.exe and qbittorrent.pdb files?
busthead
Newbie
Newbie
Posts: 7
Joined: Sat Sep 30, 2017 10:01 pm

Re: Suspicious DNS Queries

Post by busthead »

It appears the malicious connection attempts originated from a particular torrent and that a routing issue was responsible for the connections hitting my internal IDS rather than being sent out the VPN tunnel.

Therefore, I don't believe the qBittorrent client has been compromised.

Hope this helps anyone else who runs into this kind of issue.
Post Reply