Last Updated: 2015-05-19 20:36:01 UTC
by Johannes Ullrich (Version: 1)
Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:
$ host settings-win.data.microsoft.com settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com. settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com. blackhole6.glbdns2.microsoft.com has address 220.127.116.11
Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:
[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 18.104.22.168/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...
It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:
At this point, I am assuming that this is some kind of configuration error at Microsoft.