Code: Select all
13:19:30 dnsmasq[1211]: query[A] s.update.fbsbx.com from 192.168.50.142
13:19:30 dnsmasq[1211]: forwarded s.update.fbsbx.com to 127.0.0.1
13:19:30 dnsmasq[1211]: reply s.update.fbsbx.com is
13:19:30 dnsmasq[1211]: reply s.agentanalytics.com is
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.20.233.11
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.170.177.215
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.235.44.232
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.194.252.192
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.130.128
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.202.107.183
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.209.97.44
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.173.82.169
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 23.22.178.204
13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.103.1
https://www.robtex.com/dns-lookup/s.update.fbsbx.com
, s.update.fbsbx.com is a CNAME to s.agentanalytics.com
, though it has far more IP addresses (as noted above) than what are listed on Robotex website. The ONLY responses from s.update.fbsbx.com are to the s.agentanalytics.com. The only way to block these requests via hosts is to block s.update.fbsbx.com because the cname response is not within the parent zone, stub resolvers cannot block incoming wildcard domains, only the parent domain.An incredibly sophisticated banking credential theft trojan sniffs this domain:
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
The trojan connects to or sniffs
s.update.fbsbx.com
analytics. The fact a banker thief trojan wants access to facebook analytics over this domain, it should raise a red flag what may already flowing over this domain to facebook.So far tested for recreation: browse facebook on a desktop/laptop PC within Chrome.