A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week.
Which of the following is the MOST likely explanation for this anomaly?
A. An attacker is infiltrating large amounts of proprietary company data.
B. Employees are playing multiplayer computer games.
C. A worm is attempting to spread to other hosts via SMB exploits.
D. Internal hosts have become members of a botnet.