Is my antivirus snooping on me?

A series of unusual traffic caused my router to send alarms. This page outlines what I have done to find out what was inside those outgoing 160-byte transmissions.

One was a foreign IP address

At least traffic stays within Europe. That provide a little bit of comfort but it does not mean much at this point. These suspicious traffic appear to happen around the same time during random times of the day. 50% of the outgoing traffic is going in-state, which may suggest these are orchestrated by a large entity with regional presences (think Amazon or Microsoft) for latency control. While these occurrences are mostly random, there are predictable factors on these outbound traffic:

Destination Port

The source port is a high arbitrary port, which follows protocol specifications. The destination port is always port 53, DNS.

Startup

These outbound traffic happen every time the computer boots up.

Size

It would most often be 160 bytes. Data exfiltration is unlikely if you're just sending 160 bytes at a time.

Familiarity

It was always these four IP addresses. Once in a while a new random IP would fill in one of the regulars.

Possibly not too malicious

Based on these observable and rather predictable patterns, it may be unlikely that this is caused by some nefarious entity. On the other hand, these repeating behaviors continue to be reported by my home router's IDS, which continues to be a cause for concern. An evil software may try multiple methods to mask its existence such as unpredictable outgoing data transmission, use of non-standard ports, random traffic sizes, and other host-based actions that lead to persistence such as system file modification.

Shodan

There are multiple tools and websites available for gathering open-source information. My choice for this task was https://shodan.io

Apparently, my location is blocked from accessing the domain name pointing to the IP address.

The first IP address points to the domain http://gn-grs.com. VirusTotal does not report it as malicious.

Find out what is on those DNS transmissions

Since each of these transmissions are predictable, I rerouted all traffic to the reported IP addresses to a machine running Wireshark. Enter the filter 

Breakdown of the DNS packets being sniffed

Following one of the DNS streams finally reveals some readable ASCII.

Traffic does not seem to be a malformed DNS packet

Looking at the rest of the packet transmissions show another picture. My antivirus happens to be Avast. Maybe it's trying to be cute, or it's trying to report my IP address to Avast.


I reached out to Avast to find out what was happening. An Avast representative responded and explained it was a security feature of Avast One.

Avast One includes a feature called Web Hijack Guard. Web Hijack Guard secures you against Domain Name System (DNS) hijacking. DNS hijacking is a type of malicious attack that attempts to redirect you from the website you want to visit to a fake one that may look just like it. Hackers utilize fake websites to steal your sensitive personal information, such as usernames, passwords, and credit card details. - Miroslav