I have received a message from my network administrator that my computer is sending a lot of malformed DNS requests. I have absolutely no trace of this traffic in firewall logs and it shows up sporadically, so it’s kind of hard to catch. After a bit of googling, Comodo forums (link: https://forums.comodo.com/computer_firewalls/cmdagentexe_and_executive_undelete-t15168.0.html;msg105490) came up with exactly the same address that is showing up in my case, which suggests it might be related with Comodo.
Can anyone verify this or confirm that this is not a firewall issue, but rather a malware?
The address is 188.8.131.52 (62.f5.344a.static.theplanet.com), port is 53, protocol is UDP, firewall is Comodo v184.108.40.2068.
Is that address correct for your network DNS server? Check your log to see if something is coming back from there (or any port 53) and being blocked. Sometimes you get a lot of retries if that is the case. What is malformed about the packets? UDP is about as simple as it gets, unless you consider multiple retries as malformed.
Thanks for the quick response:
Ad 1) No, that address is completely unknown and certainly not related with my network.
Ad 2) Nothing is coming back since the network firewall is dropping the outgoing packets.
Ad 3) The network firewall complains “label length 85 bytes exceeds protocol limit of 63 bytes”.
In the meantime, I succeeded in capturing one batch of these packets off the wire and Ethereal/Wireshark complains “unknown operation (6)” and generally qualifies the packets as malformed DNS.
The reason I decided to ask here is that the address these requests are sent to appears in the topic I linked in my previous post, i.e. the original poster seems to think these connections might be associated with Comodo (maybe update?).
I think I’ve heard about theplanet.com serving for updates of Comodo products. No idea about malformation.
Some quandaries: 1)What is the application that is issuing these requests? If this address is not your name server, why is it getting DNS requests at all-what appication thinks it is a name server? The only address for DNS requests should come from your NIC. When you connect, you either have a fixed IP address for your name server or get one from the network. 2) The longer header indicates maybe some tie with IP version 6-is your system using it anywhere? You can check the packet structure if you captured it with Ethereal-IP v6 and IP v4 datagrams are different enough you should be able to tell.
Sure looks like malware to us amateurs-don’t know how a firewall could spoof a DNS. Good luck; Ed.
I think I've heard about theplanet.com serving for updates of Comodo products.
This is useful info. Anyone can verify this? Perhaps someone from Comodo?
What is the application that is issuing these requests?
That is something I’d like to know as well. Perhaps Comodo firewall itself. Perhaps malware. It’s not constantly active, so it’s not likely to remain in the list of active connections (right now, there is nothing suspicious). When it fires, it sends up to 20 packets per minute to the specified IP address.
And just to answer the last question, no, the system has nothing to do with IPv6. Never used it, never configured it, and besides, Windows XP don’t even fully support IPv6.
Thanks for the suggestions anyway.
Does nothing appear in the log under Firewall/Common Tasks/firewall events? What is listed as the application? Go to the command prompt and type ipconfig/all for a list of your DNS servers-is this address on it? To see if it is Comodo, go to miscellaneous/settings/updates and uncheck all that stuff-I don’t use them, so maybe a bug there?
Ok, the mystery is resolved. I created a rule to block & log everything going out to that IP address and after a while events started flowing in. Apparently, the application sending these packets is exactly Comodo firewall, or more specifically, cmdagent.exe. Now, why would cmdagent.exe send broken DNS (UDP port 53) packets to some weird address on the Internet such as 62.f5.344a.static.theplanet.com, I have no idea, but would really like to know. And especially why it never asked me for permission to phone back to Comodo.
For now, I have taken the advice and disabled all update options, but without some better explanation why the update is using broken DNS packets instead of a more common protocol like HTTP and why the address in question seems very malware-like instead of, for example, update.comodo.com, Comodo firewall is probably on its way to get expressly removed from my system.
Below are a few entries from the log, sorry for html.