Anti-Spyware Forums


Reply
Thread Tools Display Modes

Feds shift DNSChanger cut-off deadline to July

 
 
Dustin
Guest
Posts: n/a

 
      11-03-2012, 05:44 PM
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:(E-Mail Removed) :

> From: "Virus Guy" <(E-Mail Removed)>
>
>> "David H. Lipman" wrote:
>>
>>> I use 8.8.8.8 and ...

>>
>> Could you possibly hand over more data to google than they're
>> already getting from you?

>
> They don't get "data". All thery get is my DND lookups. This is
> also bastardized by the fact I use WGET emulating various User-Agents
> accessing malicious sites.


You lost him David. He has dns server confused with web server.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
 
 
 
Virus Guy
Guest
Posts: n/a

 
      11-03-2012, 08:24 PM
"David H. Lipman" wrote:

> > You lost him David. He has dns server confused with web
> > server.

>
> LOL ;-)


Dave - are you clueless too?

Ok, I'll explain it for you idiots.

A bunch of trojanized or botted PC's have their dns set to 1.2.3.4. The
server located at 1.2.3.4 is malicious.

The feds authorize me (a white-hat) to operate a replacement DNS server
at 1.2.3.4 while the C&C network for the botnet is taken down.

So my server operates as a normal DNS server for these infected PC's,
except that maybe I have a list of malicious domains that I'm not
supposed to resolve for their benefit.

This arrangement is supposed to last for maybe 6 months, because the
thinking is that the owners of these infected PC's will eventually
discover and clean them of the this malware and it shouldn't take more
than 6 months to do it.

But guess what - after 6 months there's still a significant number of
infected PC's. If I take down my DNS server, these machines will be
left high and dry without a functioning DNS service.

Now maybe that's not such a bad end result for the fools that own these
infected PC's (some of them belong to fortune-500 companies, and even
several federal departments of the US gov't).

But the feds want me to keep operating my server, so they extend this
arrangement for another few months.

Now, here's what I think they can or should do and probably should have
done from the very beginning:

When anyone's PC performs a DNS request, say for www.acme.com, it's
supposed to get the IP address for the A-record for www.acme.com.

So let's say that one of these infected PC's performs a DNS query for
www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
DNS result do I return to the infected PC? I return 1.2.3.4.

Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
can also operate a web (HTTP) server on port 80 at that IP address.

So now the infected PC performs a http-get request to 1.2.3.4 and my
web-server gets the request - and it will know that the page being
requested is www.acme.com/what-ever/is/here.htm

So my server will go to the real www.acme.com/what-ever/is/here.htm and
grab that page -> and serve it up to the infected PC thats performing
the http-get. But before I serve it up, my server will modify the html
code and add a banner message across the top of the page saying "Hey,
your computer is infected with XYZ malware. Click here to learn more".

So that can happen for any html content being requested by these
infected PC's.

Now do you boobs understand?
 
Reply With Quote
 
 
 
 
Dustin
Guest
Posts: n/a

 
      11-03-2012, 09:10 PM
Virus Guy <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> "David H. Lipman" wrote:
>
>> > You lost him David. He has dns server confused with web
>> > server.

>>
>> LOL ;-)

>
> Dave - are you clueless too?
>
> Ok, I'll explain it for you idiots.


This should be good.

> A bunch of trojanized or botted PC's have their dns set to 1.2.3.4.
> The server located at 1.2.3.4 is malicious.
>
> The feds authorize me (a white-hat) to operate a replacement DNS
> server at 1.2.3.4 while the C&C network for the botnet is taken down.


With ya so far.

> So my server operates as a normal DNS server for these infected PC's,
> except that maybe I have a list of malicious domains that I'm not
> supposed to resolve for their benefit.


Yep.

> This arrangement is supposed to last for maybe 6 months, because the
> thinking is that the owners of these infected PC's will eventually
> discover and clean them of the this malware and it shouldn't take
> more than 6 months to do it.


Poor thinking then eh? Most users are.. well, lets face it, not
interested or lazy.

> But guess what - after 6 months there's still a significant number of
> infected PC's. If I take down my DNS server, these machines will be
> left high and dry without a functioning DNS service.


Correct. Unless they configure the machine to use another one.

> Now maybe that's not such a bad end result for the fools that own
> these infected PC's (some of them belong to fortune-500 companies,
> and even several federal departments of the US gov't).


Saddening imho. Very bad security policies...

> But the feds want me to keep operating my server, so they extend this
> arrangement for another few months.


Might be extended again and again...

> Now, here's what I think they can or should do and probably should
> have done from the very beginning:
>
> When anyone's PC performs a DNS request, say for www.acme.com, it's
> supposed to get the IP address for the A-record for www.acme.com.


Googled huh? Good boy. Now mebbe some intelligent conversation will
follow.

> So let's say that one of these infected PC's performs a DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the query.
> What DNS result do I return to the infected PC? I return 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but
> I can also operate a web (HTTP) server on port 80 at that IP address.


You could.. Sure. Why do that tho? You'd make yourself an easier target
to disable.

> So now the infected PC performs a http-get request to 1.2.3.4 and my
> web-server gets the request - and it will know that the page being
> requested is www.acme.com/what-ever/is/here.htm


Yep.

> So my server will go to the real www.acme.com/what-ever/is/here.htm
> and grab that page -> and serve it up to the infected PC thats
> performing the http-get. But before I serve it up, my server will
> modify the html code and add a banner message across the top of the
> page saying "Hey, your computer is infected with XYZ malware. Click
> here to learn more".


Strangely enough, free webspace providers would do this. It was banner
advertising, they'd insert it into your html. Still, nothing new going
on here.

> So that can happen for any html content being requested by these
> infected PC's.


Absolutely.

> Now do you boobs understand?


LOL!

Not only do we understand, we well understood before you announced this
terrible discovery! [g]




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
Dustin
Guest
Posts: n/a

 
      11-03-2012, 09:11 PM
Aardvark <(E-Mail Removed)> wrote in news:jjj30f$kht$1@dont-
email.me:

> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>
>> FromTheRafters wrote:
>>> They mucked with the response from the DNS - not the DNS itself.

>>
>> Were you around at the time Robear Dyer <SNIP>

>
>> <SNIP NON SEQUITUR OFF-TOPIC ****>

>
> Stay on-topic, you sto0pid ****.
>


It's too complex for him. Virus_Guy has a better understanding.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
Whoever
Guest
Posts: n/a

 
      11-03-2012, 10:14 PM
In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
> Now, here's what I think they can or should do and probably should have
> done from the very beginning:
>
> When anyone's PC performs a DNS request, say for www.acme.com, it's
> supposed to get the IP address for the A-record for www.acme.com.
>
> So let's say that one of these infected PC's performs a DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
> DNS result do I return to the infected PC? I return 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
> can also operate a web (HTTP) server on port 80 at that IP address.
>
> So now the infected PC performs a http-get request to 1.2.3.4 and my
> web-server gets the request - and it will know that the page being
> requested is www.acme.com/what-ever/is/here.htm



I'm just a dummy with almost no understanding of these things, so I
hope you don't mind my asking some questions here. How do you ever
expect the above to work for anything other than a simple, two computer
network? DNS servers get hit with thousands of requests per second from
a lot of different computers. While one may be asking for the address to
www.acme.com, others will be asking for addresses to www.foxnews.com,
www.microsoft.com, www.disney.com, etc. If all of them are being
directed back to 1.2.3.4 for their web content as well, how is the web
server you are running on port 80 going to know what content (albeit
modified with your banner) to serve back to the appropriate http-get? As
far as I understood it, the DNS request and the http-get request are
two, completely separate interactions.


> So my server will go to the real www.acme.com/what-ever/is/here.htm and
> grab that page -> and serve it up to the infected PC thats performing
> the http-get. But before I serve it up, my server will modify the html
> code and add a banner message across the top of the page saying "Hey,
> your computer is infected with XYZ malware. Click here to learn more".
>
> So that can happen for any html content being requested by these
> infected PC's.



Yes, it is simple for a web server to modify the displayed results on
the fly. There are a variety of ways to inject external content into a
web page. The problem that I'm having with understanding your scenario
is just how a DNS server will "tag" it's response to a specific client
so that when that client then submits the http-get it will receive a web
page that contains the original content it was requesting (albeit with
an additional banner).


--
Whoever - but you can just call me who.
(E-Mail Removed)d
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      11-03-2012, 11:30 PM
~BD~ wrote:
> FromTheRafters wrote:
>> They mucked with the response from the DNS - not the DNS itself.

>
> Were you around at the time Robear Dyer MVP made this post, FTR?
>
> http://groups.google.com/group/micro...274a3269?hl=en


Probably, as I'm no spring chicken.

> The links still work - but now go to an advertisement!
>
> Here's a rather out-of-date list of DTS_L members, but the best I can
> find. http://www.kellys-korner-xp.com/xp_dtsl_web_sites.htm
>
> Do you know if this 'special' group of Microsoft MVP's is still in
> existence? This post refers, albeit from some years ago.
> http://groups.google.com/group/micro...6a46cb99?hl=en
>
> If they *do* exist - what do they actually *do*?!!


As I recall, it was a website temporarily put up by members of a mailing
list. They helped people with computer related problems.

Here's another web relic for you to wonder about as you wander about.

http://members.shaw.ca/dts-l/default.htm

The web needs a garbage collector, eh?

 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      11-03-2012, 11:34 PM
Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>> You lost him David. He has dns server confused with web
>>> server.

>>
>> LOL ;-)

>
> Dave - are you clueless too?
>
> Ok, I'll explain it for you idiots.


LOL

[...]
 
Reply With Quote
 
G. Morgan
Guest
Posts: n/a

 
      12-03-2012, 02:30 AM
Virus Guy wrote:

>But guess what - after 6 months there's still a significant number of
>infected PC's. If I take down my DNS server, these machines will be
>left high and dry without a functioning DNS service.


That's what should have happened to begin with. A buddy of mine got
the DNS changer last summer and it took all of 10 minutes to
diagnose, reconnect, and get the cleaner update.

--
Dogs are forever in the push up postion. -Mitch Hedberg

 
Reply With Quote
 
G. Morgan
Guest
Posts: n/a

 
      12-03-2012, 02:35 AM
Virus Guy wrote:

>Can anyone explain why the replacement DNS server being operated by the
>"white-hats" (ie - the feds) doesn't include a method to inject or
>display a message to users in their browser window telling them that
>their system is infected and/or has ****ed-up DNS settings and give them
>a link to follow for more information, yada yada, etc ?


You can make sure you're not infected by running MBAM.

Then run:

Domain Name Speed Benchmark


Are your DNS nameservers impeding your Internet experience?
A unique, comprehensive, accurate & free Windows (and Linux/Wine)
utility to determine the exact performance of local and remote DNS
nameservers . . .

http://www.grc.com/dns/benchmark.htm

Scans 1000's of DNS servers and will report the fastest for your
connection and whether or not it re-directs misspellings to Ads.


--
I wanted to buy a candle holder, but the store didn't have one.
So I got a cake. -Mitch Hedberg

 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      13-03-2012, 01:40 AM
Whoever wrote:

> > So that can happen for any html content being requested by these
> > infected PC's.

>
> Yes, it is simple for a web server to modify the displayed results
> on the fly.


A concept that went right over the heads of a lot of people here. Or at
least the reason why you'd want to do that in this situation.

> The problem that I'm having with understanding your scenario
> is just how a DNS server will "tag" it's response to a specific
> client


Because the only clients hitting this DNS server are the ones infected
with some specific malware. The PC's hitting this DNS server are part
of a botnet that the fed's took down last year. They are the only PC's
using a special DNS server that was set up to replace a malicious
server.

And because they're using this special server, the authorities and
white-hats know the rate at which these computers are getting cleaned up
because they monitor the traffic hitting this server. As machines get
cleaned up, they stop using this special DNS server and they use
what-ever is appropriate for them (their isp's server, etc).
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Shift and PenDrives Francisco Gomez Virus Information 3 27-09-2008 02:36 AM
shift and ctrl keys not working deacon Virus Information 3 26-08-2008 08:42 PM
VB2007 - call for last-minute papers: deadline 3rd Sept editor@virusbtn.com Anti-Virus 0 22-08-2007 03:45 PM
Deadline for Google subpoena Ethic Spyware 0 13-03-2006 11:15 PM
Ad Ware or Virus holding down ctrl/shift buttons? Mark Neglay Security Software 32 15-12-2003 03:02 PM


All times are GMT. The time now is 11:04 PM.