False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP

Published: 2015-05-19
Last Updated: 2015-05-19 20:36:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host settings-win.data.microsoft.com
settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.
settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.
blackhole6.glbdns2.microsoft.com has address 131.253.18.253

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:

[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/37aecee6-0df9-4234-8159-c632070478ad/strange-dns-requests-blocked-by-ips?forum=winserversecurity

At this point, I am assuming that this is some kind of configuration error at Microsoft.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
Diary Archives