Unknown Trojan (reaching out to kicker555.no-ip.info)
Hey all, long time no see.
I've discovered a trojan that may include a keylogger on one of my computers today. Quite by accident while repairing some damage done to my DSL modem (my fault!), I noticed it logs the addresses of all websites that computers on my internal network are trying to reach.
Watching my traffic with Wireshark, I notice a number of DNS resolution queries for kicker555.no-ip.info. That's a dynamic domain provider, resolving the particular domain to 18.104.22.168 (as of today). After the resolution completes the infected PC contacts that IP address on port 81. A scan of that address/port show it to be filtered, with a service running (nmap reports it as hosts2-ns - a nameserver?)
I suspect there may be a keylogger because a Google search on some terms (like the IP address and DNS name) have returned a few results - some saw files with their keystrokes.
There's very, very little information out there, no one has really removed or researched it. Of course, SpyBot S&D and Symantac AV find nothing.
Any suggestions? I'd like to figure out what running services are triggering those DNS queries, where the binaries exist, and eventually how I got them here.
At this point I've used my network hardware to block any activity to those domains, but I know the trojan is still active on this system.