Feds shift DNSChanger cut-off deadline to July

Discussion in 'Anti-Virus' started by Virus Guy, Mar 10, 2012.

  1. Virus Guy

    Virus Guy Guest

    Can anyone explain why the replacement DNS server being operated by the
    "white-hats" (ie - the feds) doesn't include a method to inject or
    display a message to users in their browser window telling them that
    their system is infected and/or has fucked-up DNS settings and give them
    a link to follow for more information, yada yada, etc ?

    ================================================================

    Feds shift DNSChanger cut-off deadline to July

    http://www.theregister.co.uk/2012/03/09/dnschanger_safety_net_extended/

    Posted in Malware, 9th March 2012 18:07 GMT

    The FBI's DNSChanger deadline extension has been approved by a US
    Federal Court, buying infected punters more time to clean up their
    systems.

    The move means that machines riddled with the Trojan will still be able
    to use temporary DNS servers to resolve internet addresses until 9 July.
    Before the order was granted, infected machines would not have been able
    to surf the web or handle email properly after 8 March, the previous
    expiry date of the safety net.

    Deployed initially by cyber-crooks, DNSChanger screwed with domain name
    system (DNS) settings to direct surfers to rogue servers - which
    hijacked web searches and redirected victims to dodgy websites as part
    of a long-running click-fraud and scareware distribution scam.

    The FBI stepped in and dismantled the botnet's command-and-control
    infrastructure back in November, as part of Operation GhostClick.

    To keep nobbled computers working properly, legitimate servers were set
    up by the Feds to replace the rogue DNS servers, under the authority of
    a temporary court order that has now been extended. But this effort did
    nothing by itself to clean up infected machines.

    As many as four million computers were infected at the peak of the
    botnet's activity.

    An updated study by security firm Internet Identity revealed that there
    has been a "dramatic decrease" in the number of Fortune 500 companies
    and US federal agencies with DNSChanger on their networks.

    IID found at least 94 of all Fortune 500 companies and three out of 55
    major government entities had at least one computer or router that was
    infected with DNSChanger as of 23 February, 2012. This is a sharp drop
    from the 250 out of 500 Fortune 500 companies found to be infected a few
    weeks prior to its latest survey – providing evidence that the clean-up
    operation has finally clicked into gear.

    More information on how to clean up infected machines, and other
    resources, can be found on the DNS Changer Working Group website here

    http://dcwg.org/cleanup.html
     
    Virus Guy, Mar 10, 2012
    #1
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    The joke's on you, dumb ass.

    Google DNS hijacking for displaying advertisements.

    ISP's have been doing this for years.
     
    Virus Guy, Mar 10, 2012
    #2
    1. Advertisements

  3. LOL.
     
    FromTheRafters, Mar 11, 2012
    #3
  4. Virus Guy

    Virus Guy Guest

    I didn't say that google was doing that.

    I said to use google to do a search to see who is.

    One result:

    ==========
    http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs

    A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
    Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
    Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
    Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
    Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
    hijacking for their own purposes, such as displaying advertisements[17]
    or collecting statistics.
    ===========

    The hijack is usually used when a query is made for a non-existant
    domain and the DNS server returns a result that points to a server
    providing some sort of alternate content - usually containing
    advertising - instead of the user seeing a 404 or some other browser
    error.

    The file-sharing / file-downloading domains that were "hijacked" by the
    DOJ/ICE over the past few years are a good example of this (ie-
    tvshack.net and many others).

    The idea extends to DNS servers that operate in conjunction with content
    servers that can generate the web-pages being sought by the user in real
    time by accessing the real web page the user was browsing to, with the
    intent of replacing in-page advertising with other advertising, or
    adding a top or bottom banner ad.

    I'm surprised I have to inform this concept to the readers of this
    group.

    I was wondering why, in this case of operating a white-hat DNS server
    for the benefit of thousands or hundreds of thousands of trojanized
    PC's, that this technique of injecting a banner-ad wasn't being done.

    This would allow the users of those PC's to see a "friendly message" as
    a banner ad on any website they browse to, telling them that their PC or
    router has been hacked or trojanized - and how to remedy the situation.

    Those users may not believe that they are seeing a benevolent (as
    opposed to a malicious) message, but the effect nonetheless would be to
    tweak them into thinking that something might be wrong with their system
    and to seek out some trusted third-party remedy on their own.
     
    Virus Guy, Mar 11, 2012
    #4
  5. So am I, you make it sound like it's a new thing.
    I think it's because it isn't being done by the DNS server, but is being
    done by the ISP modifying the response *from* the DNS server.

    Perhaps the authorities would have to 'take over' the ISPs *not* the DNS
    servers in order to do as you suggest?

    [...]
     
    FromTheRafters, Mar 11, 2012
    #5
  6. Virus Guy

    Virus Guy Guest

    How so?

    I was not implying that it is a new thing.
    When-ever or where-ever it's done, the DNS server has to be involved for
    the method to work. Whether or not the DNS server is also used as the
    surrogate web server used to inject the ad-content is just an academic
    question.

    If you want ad-content to be injected, and if you already are operating
    a "rogue" DNS server (either black or white hat) that is being used by
    some population of comprimized PC's, then you have the ability to inject
    the ads just by altering the software on your DNS server.
    No.

    This issue pertains to a population of trojanized PC's or routers with
    altered DNS settings. The PC's or routers have their DNS settings
    pointing to a malicious server or servers (by way of a malicious IP
    address I would guess).

    Now someone somewhere (law enforcement) has granted a white-hat the
    ability to route that DNS traffic away from the malicious IP address and
    instead to his own server. I'm saying go the extra step and have that
    server generate a banner ad telling the fools with comprimized systems
    that they need to have their PC or router looked at and decontaminated.

    The ISP's of those comprimized systems play no role in any of this.
     
    Virus Guy, Mar 11, 2012
    #6
  7. Virus Guy

    Virus Guy Guest

    Could you possibly hand over more data to google than they're already
    getting from you?
     
    Virus Guy, Mar 11, 2012
    #7
  8. Yes, you only implied that we didn't already know. This has been
    happening for quite a while.

    Because in the scenario where it was being done - the ISP is involved in
    hijacking the DNS response and supplying their own special page.
    How so? That is, beyond the fact that a response has to exist for it to
    be hijacked.
    The DNS server either supplies an address or it doesn't.
    How does one do this?
    Yes, and these can return whatever results they want to. What will the
    client software do when they expect a numerical address or an error
    response and they get some HTML instead?
    The DNS server is supposed to deliver HTML?
    Indeed, but the article you linked to did. They mucked with the response
    from the DNS - not the DNS itself.
     
    FromTheRafters, Mar 11, 2012
    #8
  9. Virus Guy

    Dustin Guest

    dumbass? How unoriginal. Doesn't apply here. Really, google dns server.
    I don't need too. I know what a DNS server is.
    You don't have to be an ISP to run a DNS server, "dumb ass".
     
    Dustin, Mar 11, 2012
    #9
  10. Virus Guy

    Dustin Guest

    Trust me, you aren't informing us. You're entertaining us!
    How does one inject a banner ad on a DNS server?
    I don't think my clients will be happy getting something other than an
    IP address when they query a dns server. Ya see, my email client
    wouldn't know WTF to do if it (the ehh, DNS server) sent html back...
     
    Dustin, Mar 11, 2012
    #10
  11. Virus Guy

    Dustin Guest

    You lost him David. He has dns server confused with web server. :)
     
    Dustin, Mar 11, 2012
    #11
  12. Virus Guy

    Virus Guy Guest

    Dave - are you clueless too?

    Ok, I'll explain it for you idiots.

    A bunch of trojanized or botted PC's have their dns set to 1.2.3.4. The
    server located at 1.2.3.4 is malicious.

    The feds authorize me (a white-hat) to operate a replacement DNS server
    at 1.2.3.4 while the C&C network for the botnet is taken down.

    So my server operates as a normal DNS server for these infected PC's,
    except that maybe I have a list of malicious domains that I'm not
    supposed to resolve for their benefit.

    This arrangement is supposed to last for maybe 6 months, because the
    thinking is that the owners of these infected PC's will eventually
    discover and clean them of the this malware and it shouldn't take more
    than 6 months to do it.

    But guess what - after 6 months there's still a significant number of
    infected PC's. If I take down my DNS server, these machines will be
    left high and dry without a functioning DNS service.

    Now maybe that's not such a bad end result for the fools that own these
    infected PC's (some of them belong to fortune-500 companies, and even
    several federal departments of the US gov't).

    But the feds want me to keep operating my server, so they extend this
    arrangement for another few months.

    Now, here's what I think they can or should do and probably should have
    done from the very beginning:

    When anyone's PC performs a DNS request, say for www.acme.com, it's
    supposed to get the IP address for the A-record for www.acme.com.

    So let's say that one of these infected PC's performs a DNS query for
    www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
    DNS result do I return to the infected PC? I return 1.2.3.4.

    Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
    can also operate a web (HTTP) server on port 80 at that IP address.

    So now the infected PC performs a http-get request to 1.2.3.4 and my
    web-server gets the request - and it will know that the page being
    requested is www.acme.com/what-ever/is/here.htm

    So my server will go to the real www.acme.com/what-ever/is/here.htm and
    grab that page -> and serve it up to the infected PC thats performing
    the http-get. But before I serve it up, my server will modify the html
    code and add a banner message across the top of the page saying "Hey,
    your computer is infected with XYZ malware. Click here to learn more".

    So that can happen for any html content being requested by these
    infected PC's.

    Now do you boobs understand?
     
    Virus Guy, Mar 11, 2012
    #12
  13. Virus Guy

    Dustin Guest

    This should be good.
    With ya so far.
    Poor thinking then eh? Most users are.. well, lets face it, not
    interested or lazy.
    Correct. Unless they configure the machine to use another one.
    Saddening imho. Very bad security policies...
    Might be extended again and again...
    Googled huh? Good boy. Now mebbe some intelligent conversation will
    follow.
    You could.. Sure. Why do that tho? You'd make yourself an easier target
    to disable.
    Strangely enough, free webspace providers would do this. It was banner
    advertising, they'd insert it into your html. Still, nothing new going
    on here.
    LOL!

    Not only do we understand, we well understood before you announced this
    terrible discovery! [g]
     
    Dustin, Mar 11, 2012
    #13
  14. Virus Guy

    Dustin Guest

    It's too complex for him. Virus_Guy has a better understanding.
     
    Dustin, Mar 11, 2012
    #14
  15. Virus Guy

    Whoever Guest


    I'm just a dummy with almost no understanding of these things, so I
    hope you don't mind my asking some questions here. How do you ever
    expect the above to work for anything other than a simple, two computer
    network? DNS servers get hit with thousands of requests per second from
    a lot of different computers. While one may be asking for the address to
    www.acme.com, others will be asking for addresses to www.foxnews.com,
    www.microsoft.com, www.disney.com, etc. If all of them are being
    directed back to 1.2.3.4 for their web content as well, how is the web
    server you are running on port 80 going to know what content (albeit
    modified with your banner) to serve back to the appropriate http-get? As
    far as I understood it, the DNS request and the http-get request are
    two, completely separate interactions.


    Yes, it is simple for a web server to modify the displayed results on
    the fly. There are a variety of ways to inject external content into a
    web page. The problem that I'm having with understanding your scenario
    is just how a DNS server will "tag" it's response to a specific client
    so that when that client then submits the http-get it will receive a web
    page that contains the original content it was requesting (albeit with
    an additional banner).
     
    Whoever, Mar 11, 2012
    #15
  16. Probably, as I'm no spring chicken.
    As I recall, it was a website temporarily put up by members of a mailing
    list. They helped people with computer related problems.

    Here's another web relic for you to wonder about as you wander about.

    http://members.shaw.ca/dts-l/default.htm

    The web needs a garbage collector, eh?
     
    FromTheRafters, Mar 11, 2012
    #16
  17. LOL

    [...]
     
    FromTheRafters, Mar 11, 2012
    #17
  18. Virus Guy

    G. Morgan Guest

    That's what should have happened to begin with. A buddy of mine got
    the DNS changer last summer and it took all of 10 minutes to
    diagnose, reconnect, and get the cleaner update.
     
    G. Morgan, Mar 12, 2012
    #18
  19. Virus Guy

    G. Morgan Guest

    You can make sure you're not infected by running MBAM.

    Then run:

    Domain Name Speed Benchmark


    Are your DNS nameservers impeding your Internet experience?
    A unique, comprehensive, accurate & free Windows (and Linux/Wine)
    utility to determine the exact performance of local and remote DNS
    nameservers . . .

    http://www.grc.com/dns/benchmark.htm

    Scans 1000's of DNS servers and will report the fastest for your
    connection and whether or not it re-directs misspellings to Ads.
     
    G. Morgan, Mar 12, 2012
    #19
  20. Virus Guy

    Virus Guy Guest

    A concept that went right over the heads of a lot of people here. Or at
    least the reason why you'd want to do that in this situation.
    Because the only clients hitting this DNS server are the ones infected
    with some specific malware. The PC's hitting this DNS server are part
    of a botnet that the fed's took down last year. They are the only PC's
    using a special DNS server that was set up to replace a malicious
    server.

    And because they're using this special server, the authorities and
    white-hats know the rate at which these computers are getting cleaned up
    because they monitor the traffic hitting this server. As machines get
    cleaned up, they stop using this special DNS server and they use
    what-ever is appropriate for them (their isp's server, etc).
     
    Virus Guy, Mar 13, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.