Feds shift DNSChanger cut-off deadline to July

Discussion in 'Anti-Virus' started by Virus Guy, Mar 10, 2012.

  1. But *now* you're talking about a web server.

    [...]
     
    FromTheRafters, Mar 13, 2012
    #21
    1. Advertisements

  2. Virus Guy

    Peter Foldes Guest


    +100%

    JS
     
    Peter Foldes, Mar 13, 2012
    #22
    1. Advertisements

  3. Virus Guy

    Whoever Guest


    I understood all of that perfectly well but it has nothing to do with
    my question. Perhaps I didn't state it well. I'll try to reword it to
    make it clearer.

    As I understand it, you are describing two entirely separate
    transactions using the internet. The first one is a request to a DNS
    server to resolve a URL to an IP address. The IP address of the DNS
    server itself is already known and set in the compromised computer. In
    your example it was changed to 1.2.3.4 by the DNSChanger to form the
    botnet. So the compromised computer sends a request to 1.2.3.4
    (assumedly on port 53) to resolve the URL www.acme.com to an IP address.
    The DNS server then returns 1.2.3.4 (in your example) as the IP address
    for www.acme.com to the compromised computer. The compromised computer
    then opens a completely separate request to 1.2.3.4 (assumedly on port
    80) looking for the web server.

    Here is where I'm having trouble understanding what you are suggesting.
    How does that web server _know_ that this particular request is
    expecting to receive the web page actually hosted at www.acme.com? You
    seem to be suggesting that each response from the DNS server is somehow
    "tagged" to identify the desired URL (www.acme.com) back to the
    compromised computer. As far as I know, a DNS server cannot do that.
    Even if you hacked the server to append such "tag data" onto the
    response (i.e. "1.2.3.4/?host=www.acme.com") the compromised computer
    wouldn't know what to do with the "extra" data and would not be able to
    use it. Perhaps I'm wrong though. I don't know that much about the
    internal workings of DNS clients and it's been a long time since I
    looked over the RFC's for DNS resolution.

    Even if you could do such a thing and get it to somehow work for web
    pages, I have serious reservations about how other apps would react to
    that solution. For instance, when you're using DNS to resolve for things
    like time servers, IM servers, email servers, NNTP servers, update
    servers of all sorts, etc. Do you just treat them all as if they were
    web page address requests?
     
    Whoever, Mar 13, 2012
    #23
  4. The point is that since all dns requests coming to that name sever
    are coming from infected clients, it would be easy to have that dns
    server only reply with valid addresses for sites useful in removing
    the the trojan, and reply with an ip address that leads to a web
    server that only shows an instruction page, for all other requests.

    Regards, Dave Hodgins
     
    David W. Hodgins, Mar 14, 2012
    #24
  5. Virus Guy

    Whoever Guest


    I understood that as well. It would be simple for the DNS servers to
    route all requests to the equivalent of a 404 error page with
    instructions on getting help. It would, of course, break non-http DNS
    requests and disable things like smtp, pop, imap, nntp, etc. but most
    users would probably figure it out pretty quickly.

    What I was wondering about was how VG intended to implement his idea
    which was somewhat different. He was going to use the DNS servers to
    route the requests to a web server (as above) but that server would then
    show the originally requested web page (www.acme.com in his example) but
    with the equivalent of a banner ad on the page with instructions on
    fixing their DNS. While it would be easy to have the web server build
    such a page with content from another server and a customized banner ad,
    I'm having trouble understanding how he would pass the URL of the
    originally requested page to the temporary web server from the original
    DNS request.
     
    Whoever, Mar 14, 2012
    #25
  6. Virus Guy

    Virus Guy Guest

    You don't know from the DNS request what the client machine has in mind
    (http, https, ftp, smtp, pop, etc).

    If the client wants to do anything other than a few protocals (http,
    https, maybe ftp) then it's true that there's no way to make a message
    appear in front of the user's eyeballs.

    The odds are that it's going to be http or https (probably 95%
    certainty).

    So you always return a result of 1.2.3.4 anyways.

    If the infected machine comes back and tries to hit your server located
    at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
    strategy - things become more complicated.

    You're trying to act as the infected machine's DNS server and it's
    Gateway, but I guess it really can work only for http or https.

    Remember that when you look at an HTTP request, the full url (including
    the FQDN of the target host) is included in the request. That's because
    any given web-server can host dozens of websites, so for it to know
    which web-site to serve up the entire URL is included in the http get
    request by the client.

    It's possible that the same http server can serve up a completely
    different website for acme.com and www.acme.com if it wants to.
     
    Virus Guy, Mar 15, 2012
    #26
  7. The bottom line is when you shut them down, they'll get the message.
     
    FromTheRafters, Mar 15, 2012
    #27
  8. Virus Guy

    Dustin Guest

    I think you owe several people an apology... We tried to explain this to
    you...
     
    Dustin, Mar 15, 2012
    #28
  9. Virus Guy

    Virus Guy Guest

    You made no such explanation, with your hahe's and lol's.

    My idea for the surrogate DNS server would allow those machines to
    function most of the time *AND* give their owners the message that their
    machine is infected (by way of html meddling).

    But what IS happening is that the surrogate DNS server is NOT giving
    those owners any message at all.

    If you're going to operate a temporary surrogate DNS server in the first
    place -> you tell me which strategy is better.
     
    Virus Guy, Mar 15, 2012
    #29
  10. Virus Guy

    Dustin Guest

    Well, I did. I laughed a bit at you too, but in fairness; I did tell you
    to google how a DNS server really worked. At that point, you called me a
    dumbass and proceeded to confuse web server for DNS server with your
    explanation...

    Btw, Had you not been such an arse about my humour, I'd likely explain
    in theory how you actually could have the web and DNS servers working
    together to pull off your nasty. They'd have two IPs, one internal, one
    external. Wouldn't take a rocket scientist to figure out what needs to
    be done next.
    Your idea? You invented the DNS system? :)
    Of course not. It's resolving names to IP's, that's er, it's job.
    Many clients that expect, IP data in response will not be all that
    impressed if they get a url instead. :) I could just see xnews, pegasus,
    or pidgin going "WTF?" and showing me the debug windows. lol
    My take on it is this...

    I personally think the machine should remain offline until a competent
    individual can repair the damage and setup security policies to keep it
    from happening again.

    As it will no longer have working DNS on it's own, the malware will have
    to bring it's own server list, or, the machine is dead in the water and
    no longer poses much threat to other systems. As it's owner either
    doesnt know, OR more likely doesn't care, the internet loses nothing
    with their departure. It gains.

    When the owner gets a bill, they'll pay slightly more attention. I'm
    tired of irresponsible people. Not holding them liable only increases
    the problem.
     
    Dustin, Mar 15, 2012
    #30
  11. I agree, the malware did the ... er ....corruption and took over the
    resolutuion. It would have been okay with me if the authorities just
    took down the servers instead of taking over the servers. Any loss
    incurred would be due to the malware, not to the fact that the servers
    were taken down. Even now, like I said in another post, take 'em down
    and the users will get the message.
     
    FromTheRafters, Mar 15, 2012
    #31
  12. Virus Guy

    Whoever Guest


    Ahhh... found it. Thanks for the info! The thing that was confusing me
    was that the standard GET request only includes the path to the URI, not
    the domain name. Nothing using a regular GET request would work in your
    example. I was unaware that web browsers typically include an extra
    "Host:" field in their GET requests which includes the domain name. With
    that info your example would work, albeit only for web browsers.
     
    Whoever, Mar 15, 2012
    #32
  13. Indeed! LOL - cue the crickets.
     
    FromTheRafters, Mar 16, 2012
    #33
  14. IAWTP

    Except for the part about apologizing for reacting to Bear's 'you and
    your ilk' remark. I really don't think an apology should be cheaply
    given away. It got me some punishment as a teen when I refused to
    apologize for something that I was not sorry that I had said. Life just
    isn't fair. :eek:D
     
    FromTheRafters, Mar 16, 2012
    #34
  15. We'll see ... if things come as naturally to him.
     
    FromTheRafters, Mar 16, 2012
    #35
  16. Virus Guy

    Peter Foldes Guest

    Why ???
    Why??? Does he owe you money for the beer ???
    Just exactly who are these Folk ???What big mistakes ??? Name the folk you are
    referring to. Jenn and Eagle does not count.


    JS
     
    Peter Foldes, Mar 16, 2012
    #36
  17. I sure did.
    I 'consider' that to be a safe bet.
    Can't tell him *anything*, he already knows it all.
     
    FromTheRafters, Mar 16, 2012
    #37
  18. I'm curious, was it a post that I ignored, or one that I missed?
     
    FromTheRafters, Mar 16, 2012
    #38
  19. Oh - I might have ignored it so that it wouldn't start an off topic
    subthread.

    ....how'd *that* work out?
     
    FromTheRafters, Mar 16, 2012
    #39
  20. Virus Guy

    Dustin Guest

    Seems I'm not alone in how I think or act.. :)
     
    Dustin, Mar 17, 2012
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.