Diary of a Network Geek

The trials and tribulations of a Certified Novell Engineer who's been stranded in Houston, Texas.

5/29/2011

DNS Redirect Attack

Filed under: Geek Work,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Horse which is around lunchtime or 12:34 pm for you boring, normal people.
The moon is Waning Gibbous

I’m seeing traffic about this, so I thought I’d write up what I found.

I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details.  Besides, I may be a hardcore geek, but I do have a life and was going out.  But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.

First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks.  I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal.  So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.

It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem.  It was, apparently, a recurrence of a virus he had previously that we cleaned.  He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”.  The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required.  Helpfully, it provided a button to press to receive the “upgrade”.  Obviously, the “upgrade” was an infection.  (You can see an example of the graphic here.)  Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.

About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office.  I checked the configuration and noticed that the DNS servers listed were wrong.  In fact, they’d all been replaced with a single DNS server; 188.229.88.7  Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe.  It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.

Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well.  I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server!  So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away.  Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again.  It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.

As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find.  It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack.  I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere.  Possibly one of the edge routers at a trans-continental connection somewhere.  From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong.  It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.

The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe!  So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also?  I hate the bastards that do these things.  I hate every last one of the little rat bastards!

UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem.  Frankly, I wish I’d had known about those tools when I started my day!  Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers.  It was, in fact, *several* PCs that were infected with whatever it was.  I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt.  I noticed that the DHCP server listed in the config was NOT my actual DHCP server!  So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers.  I used Malware Bytes to scan the infected PCs and it seemed to clean them off.  At least, for now.  I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks!  Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!

1/6/2004

Netware 3.2!

Filed under: Career Archive,Deep Thoughts,Geek Work,Novell — Posted by the Network Geek during the Hour of the Hare which is in the early morning or 7:00 am for you boring, normal people.
The moon is Waning Gibbous

WOW! Talk about a blast from the past!

So, I’m just sittin’ there, minding my own business, trying to look casual while reading e-mail and the boss walks in and starts firing questions about Netware licensing at me. Naturally, I’m suspicious from the start, but I listen and answer questions as best I can.
Not too long ago, we bought a company on the East Coast that had, well, an “interesting” mix of technology in their IT department. It seems a couple of these sites are have problems with the number of licensed connections available. The office has about 30 people, but they only have a 10 user license. Talk about 10lbs. of crap and a 5lbs. bag. But, wait, it gets better!! They’re running, yep, you guessed it, Netware 3.2. Oh, God, what did I do in a past life to deserve this?
Well, wailing and gnashing of teeth aside, I’m gonna’ have to deal with this. Somehow. Without spending any money. Yeah, right.
So, I dig into Uncle Jim’s Magical Bag O’ Tricks™ and pull out not one, but two copies of unserialized server.exe that I had from way, way back by way of a guy who was a developer at a Novell channel partner or some such. (Don’t worry, he’s since turned rogue and been seduced by the Evil Micro$oft Empire, so I’m not getting him in trouble.) But, you know what? The boss says to me, “That just doesn’t sound ‘right’.”
What’s this? A boss who actually cares about doing things the Right Way™ ? Whoda’ thunk it!
So, the work may not always be challenging and the pay can always be better, but at least I have a pretty damn good boss these days. That’s something. Hell, somedays, it’s the only thing.


Powered by WordPress
Any links to sites selling any reviewed item, including but not limited to Amazon, may be affiliate links which will pay me some tiny bit of money if used to purchase the item, but this site does no paid reviews and all opinions are my own.