Early signs of new virus affecting TCP/IP config


Recommended Posts

Bugtraq has recieved a load of posts today regarding the suspicious change of DNS server IP address on Win2k/XP.

The DNS Server IP address has been seen to change to 216.127.92.38 and 69.51.146.14, with the following key added:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]

"r0x"="your s0x"

"NameServer"="69.57.146.14"

This is in the real early stages, no body knows quite whats going on, but its enough to say that if you admin a network and are having problems, check your DNS settings.

Link to comment
Share on other sites

Well we'll see tommorrow when the bugtraq replies have been analysed.

It looks like it, redirecting the DNS queries to a malicious DNS server on the net is a GREAT way to mas DDoS the entire internet.

Link to comment
Share on other sites

It's actually NTBugtraq not bugtraq...

anywho, here more details... Russ/NTBugtraq has "confirmed" that there is indeed a problem...

http://www.ntbugtraq.com/default.asp?pid=3...&D=0&F=P&P=1879

  • Date: Wed, 1 Oct 2003 11:04:33 -0400
    From: Russ <Russ.Cooper:nospam.RC.ON.CA>
    Subject: Re: Something changing DNS server settings - confirmed
    I just want to let you know that sufficient people have noticed this problem to convince me it is something new which has begun sometime since yesterday (at least that's the earliest reference I have so far.)
    I would appreciate it if anyone who has a machine with these entries (or similar entries which look invalid) send me those entries.
    I would encourage everyone to check to see if they have these entries, or similar, and report back to me or the list. All reports will be kept confidential. TruSecure is currently checking our AV contacts to see if any binaries have been submitted which cause this.
    More information as we get it.
    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

And here's the main details so far on this...

http://www.ntbugtraq.com/default.asp?pid=3...&D=0&F=P&P=1048

  • Date: Wed, 1 Oct 2003 16:07:22 +1200
    From: Shannon <bip0dbrm001:nospam.SNEAKEMAIL.COM>
    Subject: Something changing DNS server settings
    We're having a strange thing in our domain. Various Windows 2000 professional workstations are changing the DNS servers they are configured to use. So far observed are spontantiously changing to 216.127.92.38 and 69.51.146.14. (Neither IP correctly reverse looks up, but both are hosted on "ev1.net") Due to our network topology, this breaks things pretty quickly as these servers cannot resolve our internal DNS. The former address is still responding as a DNS server, but the second is not as far as I can tell.)
    Resetting the computer to autodetect the DNS server (use DHCP) restores the computer to normal funcitonality.
    However, I strongly suspect a worm, virus or some kind of delibrate targeted attack. (Latest NAV defs are unable to detect anything on an affected machines as yet.) When I looked in the registry of one of the affected computers, I found this:
    (as a trimmed exported registry file)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]
    "r0x"="your s0x"
    "NameServer"="69.57.146.14"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
    "T2"=dword:3e057410
    "LeaseTerminatesTime"=dword:3e067130
    "LeaseObtainedTime"=dword:3dfe8830
    "T1"=dword:3e027cb0
    "NameServer"="69.57.146.14"
    You'll notice that "windows" with "r0x" = "your s0x" which is pretty clear evidence of some kind of ne'er do well. I'm not sure if it's a local worm or something taking advantage of remote registry services or something, but it's not good. And the NameServer is supposed to be blank indicating automatic DHCP configuration.
    (Changing the local machine's config in the network control panel appears to reset the entire hklm\system\ccs\services\parameters\intefaces key, removing this "r0x" entry.)
    Anyone aware of anything that has this kind of behaviour? And what do I do to fix it? And what else has this thing done? So far, it has happened on four machines in our office.
    I'll forward more information if I find any.
    Thanks in advance,
    Shannon McCracken

Link to comment
Share on other sites

me101... NTbugtraq / bugtraq, who cares, and who can tell when you've got about 10 security mailing lists going into the same folder :)

I found a few more cases in usenet and mailed them, looks like there are at least 3 IPs involved.

Link to comment
Share on other sites

several days now working on related issue: ATTENTION! There is an HTA exploit associated with this IP, and the EV1 isp, apparently a variant of 'Delude' trojan. Today it was demonstrated to be delivered from a 'click-on' link, (when one REFUSED to click 'yes').. more info available at http://forums.spywareinfo.com Google hijack.. In a windows desktop enviornment the exploit drops a new host file, rewrites the registry key for TCPIP /Parameters/DataBasePath (on windows 2000/XP) Any information available on variants and network vulnerability would be much appreciated. Highly Unlikely these two (desktop & network dns) exploits are unrelated.

Link to comment
Share on other sites

I had exactly the same problem 2 days ago. Here's my post

http://forums.spywareinfo.com/index.php?sh...showtopic=12509

---

My computer was attacked by unknown spyware. My DNS servers on the LAN connection and 10 times more in registry was changed to 69.57.146.14. I had some popup windows for sites www.find-now.indo, ad.doubleclick.net. My www.google.com was redirected to some kind of imitating proxy. After removing fake DNS servers I hardly found custom version of file hosts in a a WINNT\help directory. The beginning of the file goes down in this message. They changed HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBaseName to force system read incorrect copy of hosts file. AdAware + SpyBot and AVP Kaspersky antivirus found nothing on the system. I found nothing on the web for the same stuff.

I wonder if some authors of Spyware removal programs want to know that details to include the information in their products. My address is here.

The beginning of winnt\help\hosts

====

88.88.88.88 elite

207.44.194.56 www.google.akadns.net

207.44.194.56 www.google.com

207.44.194.56 google.com

207.44.194.56 www.altavista.com

207.44.194.56 altavista.com

......

====

I have to add:

Nobody here mentioned that hosts file trick, maybe you still haven't found it. There is a working Google proxy at address 207.44.194.56, it is possible for police to find a guy and to kick his ass. Just try to ping www.google.com and you'll get 207.44.194.56 on affected computer.

After further investigation I found that also 4-byte text file winnt\winlog was created at the same second as fake hosts file. But I found nothing more, no more new executables or other files on by computer...

Link to comment
Share on other sites

NTbugtraq / bugtraq, who cares

Just ask that question on the above listed mailing lists and see what kind of response you get... they are TWO very different mailing lists.

Link to comment
Share on other sites

Just ask that question on the above listed mailing lists and see what kind of response you get... they are TWO very different mailing lists.

Stop being so stupidly pedantic me101. I did people a favour and gave them advanced warning.

Oh and I completely disagree, bugtraq would have provided useful feedback.

Simplypotatoes, there is no real need. They are two similar security mailing lists, as are the others I subscribe to. The only ones I split off are those relating to my specific AV vendor as they take priority in my job.

Anyway, job done, AV sigs are out, so this thread is closed as far as I'm concerned. me101 if you want to carry on with your whining do it via PM please.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.