Anti-Spyware Forums


Reply
Thread Tools Display Modes

Feds shift DNSChanger cut-off deadline to July

 
 
FromTheRafters
Guest
Posts: n/a

 
      13-03-2012, 02:35 AM
Virus Guy wrote:
> Whoever wrote:
>
>>> So that can happen for any html content being requested by these
>>> infected PC's.

>>
>> Yes, it is simple for a web server to modify the displayed results
>> on the fly.

>
> A concept that went right over the heads of a lot of people here. Or at
> least the reason why you'd want to do that in this situation.


But *now* you're talking about a web server.

[...]
 
Reply With Quote
 
 
 
 
Peter Foldes
Guest
Posts: n/a

 
      13-03-2012, 05:01 PM
"Aardvark" <(E-Mail Removed)> wrote in message
news:jjnu98$eip$(E-Mail Removed)...
> On Tue, 13 Mar 2012 16:33:14 +0100, Bear wrote:


>> Your manner is putting people off.

>
> The fact that I commented on someone trying to spoil the thread?
>
> **** off.



+100%

JS

 
Reply With Quote
 
 
 
 
Whoever
Guest
Posts: n/a

 
      13-03-2012, 06:51 PM
In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
> Whoever wrote:
>
> > > So that can happen for any html content being requested by these
> > > infected PC's.

> >
> > Yes, it is simple for a web server to modify the displayed results
> > on the fly.

>
> A concept that went right over the heads of a lot of people here. Or at
> least the reason why you'd want to do that in this situation.
>
> > The problem that I'm having with understanding your scenario
> > is just how a DNS server will "tag" it's response to a specific
> > client

>
> Because the only clients hitting this DNS server are the ones infected
> with some specific malware. The PC's hitting this DNS server are part
> of a botnet that the fed's took down last year. They are the only PC's
> using a special DNS server that was set up to replace a malicious
> server.
>
> And because they're using this special server, the authorities and
> white-hats know the rate at which these computers are getting cleaned up
> because they monitor the traffic hitting this server. As machines get
> cleaned up, they stop using this special DNS server and they use
> what-ever is appropriate for them (their isp's server, etc).



I understood all of that perfectly well but it has nothing to do with
my question. Perhaps I didn't state it well. I'll try to reword it to
make it clearer.

As I understand it, you are describing two entirely separate
transactions using the internet. The first one is a request to a DNS
server to resolve a URL to an IP address. The IP address of the DNS
server itself is already known and set in the compromised computer. In
your example it was changed to 1.2.3.4 by the DNSChanger to form the
botnet. So the compromised computer sends a request to 1.2.3.4
(assumedly on port 53) to resolve the URL www.acme.com to an IP address.
The DNS server then returns 1.2.3.4 (in your example) as the IP address
for www.acme.com to the compromised computer. The compromised computer
then opens a completely separate request to 1.2.3.4 (assumedly on port
80) looking for the web server.

Here is where I'm having trouble understanding what you are suggesting.
How does that web server _know_ that this particular request is
expecting to receive the web page actually hosted at www.acme.com? You
seem to be suggesting that each response from the DNS server is somehow
"tagged" to identify the desired URL (www.acme.com) back to the
compromised computer. As far as I know, a DNS server cannot do that.
Even if you hacked the server to append such "tag data" onto the
response (i.e. "1.2.3.4/?host=www.acme.com") the compromised computer
wouldn't know what to do with the "extra" data and would not be able to
use it. Perhaps I'm wrong though. I don't know that much about the
internal workings of DNS clients and it's been a long time since I
looked over the RFC's for DNS resolution.

Even if you could do such a thing and get it to somehow work for web
pages, I have serious reservations about how other apps would react to
that solution. For instance, when you're using DNS to resolve for things
like time servers, IM servers, email servers, NNTP servers, update
servers of all sorts, etc. Do you just treat them all as if they were
web page address requests?



--
Whoever - but you can just call me who.
(E-Mail Removed)d
 
Reply With Quote
 
David W. Hodgins
Guest
Posts: n/a

 
      14-03-2012, 06:47 AM
On Tue, 13 Mar 2012 14:51:55 -0400, Whoever <(E-Mail Removed)> wrote:

> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>> Because the only clients hitting this DNS server are the ones infected
>> with some specific malware. The PC's hitting this DNS server are part


> Here is where I'm having trouble understanding what you are suggesting.
> How does that web server _know_ that this particular request is
> expecting to receive the web page actually hosted at www.acme.com? You
> seem to be suggesting that each response from the DNS server is somehow
> "tagged" to identify the desired URL (www.acme.com) back to the
> compromised computer. As far as I know, a DNS server cannot do that.


The point is that since all dns requests coming to that name sever
are coming from infected clients, it would be easy to have that dns
server only reply with valid addresses for sites useful in removing
the the trojan, and reply with an ip address that leads to a web
server that only shows an instruction page, for all other requests.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
 
Reply With Quote
 
Whoever
Guest
Posts: n/a

 
      14-03-2012, 11:54 AM
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
>
> The point is that since all dns requests coming to that name sever
> are coming from infected clients, it would be easy to have that dns
> server only reply with valid addresses for sites useful in removing
> the the trojan, and reply with an ip address that leads to a web
> server that only shows an instruction page, for all other requests.



I understood that as well. It would be simple for the DNS servers to
route all requests to the equivalent of a 404 error page with
instructions on getting help. It would, of course, break non-http DNS
requests and disable things like smtp, pop, imap, nntp, etc. but most
users would probably figure it out pretty quickly.

What I was wondering about was how VG intended to implement his idea
which was somewhat different. He was going to use the DNS servers to
route the requests to a web server (as above) but that server would then
show the originally requested web page (www.acme.com in his example) but
with the equivalent of a banner ad on the page with instructions on
fixing their DNS. While it would be easy to have the web server build
such a page with content from another server and a customized banner ad,
I'm having trouble understanding how he would pass the URL of the
originally requested page to the temporary web server from the original
DNS request.


--
Whoever - but you can just call me who.
(E-Mail Removed)d
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      15-03-2012, 12:43 AM
Whoever wrote:

> I'm having trouble understanding how he would pass the URL of the
> originally requested page to the temporary web server from the
> original DNS request.


You don't know from the DNS request what the client machine has in mind
(http, https, ftp, smtp, pop, etc).

If the client wants to do anything other than a few protocals (http,
https, maybe ftp) then it's true that there's no way to make a message
appear in front of the user's eyeballs.

The odds are that it's going to be http or https (probably 95%
certainty).

So you always return a result of 1.2.3.4 anyways.

If the infected machine comes back and tries to hit your server located
at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
strategy - things become more complicated.

You're trying to act as the infected machine's DNS server and it's
Gateway, but I guess it really can work only for http or https.

Remember that when you look at an HTTP request, the full url (including
the FQDN of the target host) is included in the request. That's because
any given web-server can host dozens of websites, so for it to know
which web-site to serve up the entire URL is included in the http get
request by the client.

It's possible that the same http server can serve up a completely
different website for acme.com and www.acme.com if it wants to.
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      15-03-2012, 01:07 AM
Virus Guy wrote:
> Whoever wrote:
>
>> I'm having trouble understanding how he would pass the URL of the
>> originally requested page to the temporary web server from the
>> original DNS request.

>
> You don't know from the DNS request what the client machine has in mind
> (http, https, ftp, smtp, pop, etc).
>
> If the client wants to do anything other than a few protocals (http,
> https, maybe ftp) then it's true that there's no way to make a message
> appear in front of the user's eyeballs.
>
> The odds are that it's going to be http or https (probably 95%
> certainty).
>
> So you always return a result of 1.2.3.4 anyways.
>
> If the infected machine comes back and tries to hit your server located
> at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
> strategy - things become more complicated.


The bottom line is when you shut them down, they'll get the message.
 
Reply With Quote
 
Dustin
Guest
Posts: n/a

 
      15-03-2012, 01:14 AM
Virus Guy <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> You're trying to act as the infected machine's DNS server and it's
> Gateway, but I guess it really can work only for http or https.


I think you owe several people an apology... We tried to explain this to
you...


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      15-03-2012, 01:51 AM
Dustin wrote:

> > You're trying to act as the infected machine's DNS server and
> > it's Gateway, but I guess it really can work only for http or
> > https.

>
> I think you owe several people an apology... We tried to explain
> this to you...


You made no such explanation, with your hahe's and lol's.

My idea for the surrogate DNS server would allow those machines to
function most of the time *AND* give their owners the message that their
machine is infected (by way of html meddling).

But what IS happening is that the surrogate DNS server is NOT giving
those owners any message at all.

If you're going to operate a temporary surrogate DNS server in the first
place -> you tell me which strategy is better.
 
Reply With Quote
 
Dustin
Guest
Posts: n/a

 
      15-03-2012, 03:48 PM
Virus Guy <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> Dustin wrote:
>
>> > You're trying to act as the infected machine's DNS server and
>> > it's Gateway, but I guess it really can work only for http or
>> > https.

>>
>> I think you owe several people an apology... We tried to explain
>> this to you...

>
> You made no such explanation, with your hahe's and lol's.


Well, I did. I laughed a bit at you too, but in fairness; I did tell you
to google how a DNS server really worked. At that point, you called me a
dumbass and proceeded to confuse web server for DNS server with your
explanation...

Btw, Had you not been such an arse about my humour, I'd likely explain
in theory how you actually could have the web and DNS servers working
together to pull off your nasty. They'd have two IPs, one internal, one
external. Wouldn't take a rocket scientist to figure out what needs to
be done next.

> My idea for the surrogate DNS server would allow those machines to
> function most of the time *AND* give their owners the message that


Your idea? You invented the DNS system?

> But what IS happening is that the surrogate DNS server is NOT giving
> those owners any message at all.


Of course not. It's resolving names to IP's, that's er, it's job.
Many clients that expect, IP data in response will not be all that
impressed if they get a url instead. I could just see xnews, pegasus,
or pidgin going "WTF?" and showing me the debug windows. lol

> If you're going to operate a temporary surrogate DNS server in the
>first place - you tell me which strategy is better.


My take on it is this...

I personally think the machine should remain offline until a competent
individual can repair the damage and setup security policies to keep it
from happening again.

As it will no longer have working DNS on it's own, the malware will have
to bring it's own server list, or, the machine is dead in the water and
no longer poses much threat to other systems. As it's owner either
doesnt know, OR more likely doesn't care, the internet loses nothing
with their departure. It gains.

When the owner gets a bill, they'll pay slightly more attention. I'm
tired of irresponsible people. Not holding them liable only increases
the problem.




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Shift and PenDrives Francisco Gomez Virus Information 3 27-09-2008 02:36 AM
shift and ctrl keys not working deacon Virus Information 3 26-08-2008 08:42 PM
VB2007 - call for last-minute papers: deadline 3rd Sept editor@virusbtn.com Anti-Virus 0 22-08-2007 03:45 PM
Deadline for Google subpoena Ethic Spyware 0 13-03-2006 11:15 PM
Ad Ware or Virus holding down ctrl/shift buttons? Mark Neglay Security Software 32 15-12-2003 03:02 PM


All times are GMT. The time now is 09:14 PM.