Jon Posted October 1, 2003 Share Posted October 1, 2003 Bugtraq has recieved a load of posts today regarding the suspicious change of DNS server IP address on Win2k/XP. The DNS Server IP address has been seen to change to 216.127.92.38 and 69.51.146.14, with the following key added: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows] "r0x"="your s0x" "NameServer"="69.57.146.14" This is in the real early stages, no body knows quite whats going on, but its enough to say that if you admin a network and are having problems, check your DNS settings. Link to comment Share on other sites More sharing options...
-=||MIKE||=- Posted October 1, 2003 Share Posted October 1, 2003 Thanks for the heads up :) Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 1, 2003 MVC Share Posted October 1, 2003 So whats this a virus that changes the DNS setting ? Link to comment Share on other sites More sharing options...
Jon Posted October 1, 2003 Author Share Posted October 1, 2003 Well we'll see tommorrow when the bugtraq replies have been analysed. It looks like it, redirecting the DNS queries to a malicious DNS server on the net is a GREAT way to mas DDoS the entire internet. Link to comment Share on other sites More sharing options...
fjv Posted October 1, 2003 Share Posted October 1, 2003 is there any bit of more info? fjv Link to comment Share on other sites More sharing options...
me101 Veteran Posted October 1, 2003 Veteran Share Posted October 1, 2003 It's actually NTBugtraq not bugtraq... anywho, here more details... Russ/NTBugtraq has "confirmed" that there is indeed a problem... http://www.ntbugtraq.com/default.asp?pid=3...&D=0&F=P&P=1879 Date: Wed, 1 Oct 2003 11:04:33 -0400 From: Russ <Russ.Cooper:nospam.RC.ON.CA> Subject: Re: Something changing DNS server settings - confirmed I just want to let you know that sufficient people have noticed this problem to convince me it is something new which has begun sometime since yesterday (at least that's the earliest reference I have so far.)I would appreciate it if anyone who has a machine with these entries (or similar entries which look invalid) send me those entries.I would encourage everyone to check to see if they have these entries, or similar, and report back to me or the list. All reports will be kept confidential. TruSecure is currently checking our AV contacts to see if any binaries have been submitted which cause this.More information as we get it.Cheers,Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor And here's the main details so far on this... http://www.ntbugtraq.com/default.asp?pid=3...&D=0&F=P&P=1048 Date: Wed, 1 Oct 2003 16:07:22 +1200 From: Shannon <bip0dbrm001:nospam.SNEAKEMAIL.COM> Subject: Something changing DNS server settings We're having a strange thing in our domain. Various Windows 2000 professional workstations are changing the DNS servers they are configured to use. So far observed are spontantiously changing to 216.127.92.38 and 69.51.146.14. (Neither IP correctly reverse looks up, but both are hosted on "ev1.net") Due to our network topology, this breaks things pretty quickly as these servers cannot resolve our internal DNS. The former address is still responding as a DNS server, but the second is not as far as I can tell.)Resetting the computer to autodetect the DNS server (use DHCP) restores the computer to normal funcitonality.However, I strongly suspect a worm, virus or some kind of delibrate targeted attack. (Latest NAV defs are unable to detect anything on an affected machines as yet.) When I looked in the registry of one of the affected computers, I found this:(as a trimmed exported registry file)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]"r0x"="your s0x""NameServer"="69.57.146.14"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]"T2"=dword:3e057410"LeaseTerminatesTime"=dword:3e067130"LeaseObtainedTime"=dword:3dfe8830"T1"=dword:3e027cb0"NameServer"="69.57.146.14"You'll notice that "windows" with "r0x" = "your s0x" which is pretty clear evidence of some kind of ne'er do well. I'm not sure if it's a local worm or something taking advantage of remote registry services or something, but it's not good. And the NameServer is supposed to be blank indicating automatic DHCP configuration.(Changing the local machine's config in the network control panel appears to reset the entire hklm\system\ccs\services\parameters\intefaces key, removing this "r0x" entry.)Anyone aware of anything that has this kind of behaviour? And what do I do to fix it? And what else has this thing done? So far, it has happened on four machines in our office.I'll forward more information if I find any.Thanks in advance,Shannon McCracken Link to comment Share on other sites More sharing options...
Jon Posted October 1, 2003 Author Share Posted October 1, 2003 me101... NTbugtraq / bugtraq, who cares, and who can tell when you've got about 10 security mailing lists going into the same folder :) I found a few more cases in usenet and mailed them, looks like there are at least 3 IPs involved. Link to comment Share on other sites More sharing options...
MitchShrader Posted October 2, 2003 Share Posted October 2, 2003 several days now working on related issue: ATTENTION! There is an HTA exploit associated with this IP, and the EV1 isp, apparently a variant of 'Delude' trojan. Today it was demonstrated to be delivered from a 'click-on' link, (when one REFUSED to click 'yes').. more info available at http://forums.spywareinfo.com Google hijack.. In a windows desktop enviornment the exploit drops a new host file, rewrites the registry key for TCPIP /Parameters/DataBasePath (on windows 2000/XP) Any information available on variants and network vulnerability would be much appreciated. Highly Unlikely these two (desktop & network dns) exploits are unrelated. Link to comment Share on other sites More sharing options...
fedor Posted October 2, 2003 Share Posted October 2, 2003 I had exactly the same problem 2 days ago. Here's my post http://forums.spywareinfo.com/index.php?sh...showtopic=12509 --- My computer was attacked by unknown spyware. My DNS servers on the LAN connection and 10 times more in registry was changed to 69.57.146.14. I had some popup windows for sites www.find-now.indo, ad.doubleclick.net. My www.google.com was redirected to some kind of imitating proxy. After removing fake DNS servers I hardly found custom version of file hosts in a a WINNT\help directory. The beginning of the file goes down in this message. They changed HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBaseName to force system read incorrect copy of hosts file. AdAware + SpyBot and AVP Kaspersky antivirus found nothing on the system. I found nothing on the web for the same stuff. I wonder if some authors of Spyware removal programs want to know that details to include the information in their products. My address is here. The beginning of winnt\help\hosts ==== 88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 www.google.com 207.44.194.56 google.com 207.44.194.56 www.altavista.com 207.44.194.56 altavista.com ...... ==== I have to add: Nobody here mentioned that hosts file trick, maybe you still haven't found it. There is a working Google proxy at address 207.44.194.56, it is possible for police to find a guy and to kick his ass. Just try to ping www.google.com and you'll get 207.44.194.56 on affected computer. After further investigation I found that also 4-byte text file winnt\winlog was created at the same second as fake hosts file. But I found nothing more, no more new executables or other files on by computer... Link to comment Share on other sites More sharing options...
Jon Posted October 2, 2003 Author Share Posted October 2, 2003 http://vil.nai.com/vil/content/v_100719.htm Full low down and fix it steps. Link to comment Share on other sites More sharing options...
me101 Veteran Posted October 3, 2003 Veteran Share Posted October 3, 2003 NTbugtraq / bugtraq, who cares Just ask that question on the above listed mailing lists and see what kind of response you get... they are TWO very different mailing lists. Link to comment Share on other sites More sharing options...
SimplyPotatoes Posted October 3, 2003 Share Posted October 3, 2003 wow jon :) wh dont you make filters for your mail :) so you dont confuse two things :) Link to comment Share on other sites More sharing options...
Jon Posted October 3, 2003 Author Share Posted October 3, 2003 Just ask that question on the above listed mailing lists and see what kind of response you get... they are TWO very different mailing lists. Stop being so stupidly pedantic me101. I did people a favour and gave them advanced warning. Oh and I completely disagree, bugtraq would have provided useful feedback. Simplypotatoes, there is no real need. They are two similar security mailing lists, as are the others I subscribe to. The only ones I split off are those relating to my specific AV vendor as they take priority in my job. Anyway, job done, AV sigs are out, so this thread is closed as far as I'm concerned. me101 if you want to carry on with your whining do it via PM please. Link to comment Share on other sites More sharing options...
Recommended Posts