Blocking IP address 34.102.136.180. Something to do with WPAD

[ericarcher57 1]

Since the update was applied today 09/09/2020 @13:03. I am getting multiple "Address has been blocked" pop ups related to wpad.dat and all for IP address 34.102.136.180 which seems to belong to Google!

Any Ideas?

[Marcos 5,074]

wpad.co.uk is a parked domain. I, for one, was unable to find any working domain on that IP address. The question is why "wpad" resolves to the blocked IP address.

[ericarcher57 1]

The weird thing is this only started after the detection engine update to 21960, today. They are all being blocked by the anti-phishing black list which must have had this added to it. 

Prior to that the last block was 2 months ago and was blocking what I would normally expect

[David__B 0]

We have seen the exact same too starting just after 1pm today UK time.

[Marcos 5,074]

The IP address was blocked today; the block is not a problem. What I find surprising is that "wpad" is resolved to the blocked IP address on your machine.

[RyanL 0]

Getting this when trying to open Outlook, it looks like it is GoDaddy's parked domain page

 

[JKay 0]

We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.

I can only assume something similar is happening with the DNS on your clients.

[David__B 0]

The two machines reported to me also were using Cisco Anyconnect....

[ericarcher57 1]

12 minutes ago, JKay said:

We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.

I can only assume something similar is happening with the DNS on your clients.

Spot on!

I am using AnyConnect too, when I drop the VPN I get "wpad" resolving correctly to "wpad.mydomain.co.uk" as it should. When connected it resolves to the blocked IP

[Marcos 5,074]

For now we'll unblock the IP address and discuss it internally later.

[David__B 0]

So is this an Eset issue or a Cisco Anyconnect issue?

[David__B 0]

3 minutes ago, Marcos said:

For now we'll unblock the IP address and discuss it internally later.

Is that going to have unintended consequences?  What if someone now registers that domain?  

Edited September 9, 2020 by David__B

[RyanL 0]

12 minutes ago, Marcos said:

For now we'll unblock the IP address and discuss it internally later.

how long will that take to be updated to the installed Eset client

[JKay 0]

4 minutes ago, David__B said:

So is this an Eset issue or a Cisco Anyconnect issue?

The ESET alerts are just a side effect since they blocked the domain. It would seem that our and by the looks of it a handful of other companies using split tunneling on their client VPN's have had their machines attempting to resolve wpad.co.uk as a side effect. We're only now just realising it due to the alert from ESET.

I'd check with your networking team to find out what part of split tunnelling is causing it to re-resolve hostnames it cant contact by appending .co.uk to them. The image shows that this affects any hostname it cannot first resolve on its own, as pinging google ends up resolving an address for google.co.uk

[ericarcher57 1]

We are not using split tunnelling on our VPN (we need to remote onto customer sites and need to use our Office public IP), so I don't think it's actually Split Tunnelling causing it.

There are some users who are not having this issue, when they ping "wpad" off the VPN it adds our company domain to it and it resolves as expected. When they are on the VPN it does not resolve at all, so I assume it is not adding the ".co.uk" to it.

The only difference I can see is that the effected PC's are running the 2004 build of Win 10 and the ones that are working OK are running the 1903 build. All other aspects of the VPN are the same.

 

We are going to upgrade a PC from 1903 to 2004 overnight and see what happens

Edited September 9, 2020 by ericarcher57

[JKay 0]

You seem to be right about the split tunnel, I jumped the gun on that with it being the cause of our troubles before.

Taking some time to look at it again this morning I can see that when we connect to our VPN "co.uk" is added to the DNS suffix search list which is what is causing strange resolution:

I'm still looking into what mechanism is inserting "co.uk" in there in the first place. 

[TomPark 4]

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

Edited September 10, 2020 by TomPark

[David__B 0]

13 minutes ago, TomPark said:

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

19 hours ago, ericarcher57 said:

 

Hi Tom,

 

Domain joined yes, interestingly our IT support provider does not get the same DNS suffix "co.uk" as we do with domain joined computers working remotely.  Unsure about your second question, that's over my head but will ask our third party netowrk support.

[ericarcher57 1]

55 minutes ago, TomPark said:

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

Tom,

 

Yes the machines are all joined on the domain, and we do  not use any proxy configuration using wpad.

 

It's Like Jkay said, the Cisco Anyconnect client is adding the ".co.uk" suffix to the DNS Search list, but only when it is connected. I can remove the entry manually form the adaptor settings when connected and everything is fine. As soon as the VPN re-connects the extra suffix is added back again.

 

I have gone over our Cisco configuration, I can find our main company domain entry but there is nowhere I can find the ".co.uk" entry.

[TomPark 4]

Hi All,

Thank you for the information, like has already been said I think the notification from ESET is a side affect of something else that is changing the domain suffix when connect to the VPN.

Something that might be of consideration is disabling the 'Auto-Detect' proxy configuration in Chrome / IE which will then stop the browser from looking for these configurations as 'wpad.domain.com' is the default search browser use if this setting is enabled and the information is not provided via DHCP. This should fix the issue for anyone that is still seeing this on their machine. Please note to disable the setting a browser restart will be required.

As @Marcos said the IP will be unblocked, if anyone is able to test the solution above that would be appreciated. 

Regards,

[JKay 0]

I've opened up a Cisco TAC to see if they can pin down what part of the VPN configuration or issue with the AnyConnect client is causing "co.uk" to be injected into the DNS Suffix Search List as this is the root cause for us at least. I'll drop back once they have some information for us.

[itman 1,659]

This is related to WPAD DNS activity:

Quote

DNS WPAD

DNS WPAD is a method of detecting a PAC file via discovery by leveraging the network name of the user computer and using a consistent DNS configuration and PAC script file name. DNS WPAD is the most widely supported method, with support across all major browsers and operating systems.

Prerequisites include a PAC file, web server, and a locally access DNS hostname to point to the web server.

Example

• In the below example, the network name of the user computer is laptop01.us.division.company.com.
• A PAC file with the file name wpad.dat is being served by a web server on the host wpad.company.com.
• A DNS WPAD enabled browser will remove the machine name (laptop01), apply wpad to the network name, and apply as a suffix the file resource /wpad.dat, e.g. http://wpad.us.division.company.com/wpad.dat.
• The browser will try to download the PAC file from the location http://wpad.us.division.company.com/wpad.dat.
• If the web browser is unable to resolve the host wpad.us.division.company.com, it will progress through the sub-domain node hierarchy and attempt to download the wpad.dat file from the host wpad.division.company.com, and so on until the lowest valid node is reached, wpad.company.com.

https://findproxyforurl.com/wpad-introduction/

Appears WPAD has a number of security risks with the recommendation it be permanently disabled if not using IE11 or Edge as your browser: https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/

Edited September 10, 2020 by itman

[itman 1,659]

Per Robtex lookup, IP address, 34.102.136.180, has one PTR, 180.136.102.34.bc.googleusercontent.com. 

However, ThreatMiner listed a number of nasty URL's associated with it:

Quote

Last Seen                                                                        URL

[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/594857246/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/774445698/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/186742936/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://hxxpssirvulcan.org/
[object Object]    hxxps://lewisthompsonelectric.com/a98dssa7dsa98d98sad09sa.php
[object Object]    hxxps://sendercompany.net/LinkedinD/linkedin.html
[object Object]    hxxps://mysportscraze.com/ChaseSupport/login/auth.php
[object Object]    hxxps://mlmpreis.com/verizon.net/newdr/o1/main.html?accessToFile=accessing&fileAccess=15602&encryptedCookie=35af82d97fb9fbea36b5c2bdfffd28df&u=61004ccd89a0fd72900c6cb53471c0d0&connecting=ee4a7a01bece3e9af2344ac82ae4596a&phaseAccess=27cd03582c17bf852365043c7bce7b30&p=ca9c37b5756817ecbd1e39e94f585447
[object Object]    hxxps://mlmpreis.com/verizon.net/newdr/o1
[object Object]    hxxp://ofertas2020-submarino.club
[object Object]    hxxps://b-sfr.com/
[object Object]    hxxps://newyears-eve.com/ex/cel/page.php?email=
[object Object]    hxxps://newyears-eve.com/ex/cel/page.php?email=&_rand=13vqcr8bp0gud&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
[object Object]    hxxps://newyears-eve.com/ex/cel/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid_13InboxLight_aspxn_1774256418=&fid_125289964252813InboxLight99642_Product-email=&email=
[object Object]    hxxps://paypal-newlogin.com/
[object Object]    hxxp://saldao-dobahianinho.com
[object Object]    hxxp://anoperfeitopravc.com/mobile/carrinho.php
[object Object]    hxxp://saldaoobahianinho.com/mobile/login.php
[object Object]    hxxp://saldomaiobahianinho.com/mobile/carrinho.php
[object Object]    hxxp://djchewalk.net/canada/taxb

 

 

Edited September 10, 2020 by itman

[itman 1,659]

Here's a "deep dive" by Google's Project Zero into exploiting WPAD:

Quote

aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript

https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html