Adding to this, cursory lookup of
CN.KING.CD shows that it has been used in the past to serve up malware (see:
http://blog.fireeye.com/research/2009/04/botnetweb-part-ii.html).
On Sun, Feb 7, 2010 at 10:11 AM, Stuart Kendrick
<skendric@xxxxxxxxx> wrote:
No, I haven't. Windows boxes broadcast NBNS look-ups and announcements for a
range of reasons, and chatter in this fashion with a loquacity I find
astonishing. But I haven't seen a single station broadcast with that frequency
(every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'.
If I had to guess, I would make the same guess you are making. Sounds like you
have a bunch of boxes infected with some flavor of malware, (though I don't know
why that malware is performing CN.KING.CD look-ups every few seconds, nor why it
is using NBNS rather than DNS).
Brain-storming here: you could gather a list of the infected IP addresses using
Wireshark, then perform NBNS look-ups on those addresses:
C:\temp>nbtstat -A 10.11.88.152
Hutch:
Node IpAddress: [10.11.88.152] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
SALLY <00> UNIQUE Registered
FHCRC <00> GROUP Registered
SALLY <20> UNIQUE Registered
FHCRC <1E> GROUP Registered
MAC Address = 00-1A-A0-AF-A5-A9
C:\temp>
That gets you the NetBIOS name ('Sally') of the infected machine. With a little
local knowledge, perhaps you can track a NetBIOS name down to a physical location.
hth,
--sk
>
> Hi, I'm new to the list and thought I'd give this question a try.
>
>
> Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are
> sending NBNS broadcasts with the following listed in Wireshark's
> "Info" column: "Name query NB
CN.KING.CD<00>"
