Suspicious DNS Queries

[busthead]

Starting this week every time I launch qBittorrent my network IDS picks up a suspicious DNS query for a .tk .top or .pw domain.

Strangely, the DNS requests are sent to my internal server even when the host is connected to VPN.

A pre-boot malware scan did not detect anything malicious.

The issue persists after upgrading to the latest version of qBittorrent.

Are these the expected hashes for v4.3.3:

C:\Program Files (x86)\qBittorrent>fciv -md5 qbittorrent.exe
650e716e09b86e8300dddd0d55baae96 qbittorrent.exe

C:\Program Files (x86)\qBittorrent>fciv -md5 qbittorrent.pdb
f5aa356d0874f9e8691b37533143cd46 qbittorrent.pdb

[Peter]

Could be tracker connections? I mean, if you try and just open qBittorrent without any torrent running/being active, I don't think it'll make any such connections.

[busthead]

If 'Options-Advanced-Network interface' is set to my VPN connection, should tracker connections be sent to the DNS server of the underlying LAN?

I installed Malwarebytes and it detected two connections to Trojan/Compromised sites with no torrents enabled (all paused):

Code: Select all

-Website Data-
Category: Trojan
Domain: 
IP Address: 59.96.37.32
Port: 39240
Type: Outbound
File: C:\Program Files (x86)\qBittorrent\qbittorrent.exe

-Website Data-
Category: Compromised
Domain: 
IP Address: 59.92.182.118
Port: 11999
Type: Outbound
File: C:\Program Files (x86)\qBittorrent\qbittorrent.exe

Can you please verify or provide the hashes of your qbittorrent.exe and qbittorrent.pdb files?

[busthead]

It appears the malicious connection attempts originated from a particular torrent and that a routing issue was responsible for the connections hitting my internal IDS rather than being sent out the VPN tunnel.

Therefore, I don't believe the qBittorrent client has been compromised.

Hope this helps anyone else who runs into this kind of issue.