Is there a Trojan that changes XP DNS settings? - GoFuckYourself.com

Probono · 05-06-2006, 05:07 PM

We have had a growing trickle of users contact us an tell us when they go one of our sites they get a blank screen or get hijacked to another site. After working with one user we found that even though he was in the US with a major ISP his DNS settings were set to a DNS server in the Ukraine. When we checked out the IP address being provided by that DNS server for our URL they were either blank or went to popup hell.

This is a new one on me, any one know anything about this?

SomeCreep · 05-06-2006, 05:08 PM

Quote:

Originally Posted by Probono

We have had a growing trickle of users contact us an tell us when they go one of our sites they get a blank screen or get hijacked to another site. After working with one user we found that even though he was in the US with a major ISP his DNS settings were set to a DNS server in the Ukraine. When we checked out the IP address being provided by that DNS server for our URL they were either blank or went to popup hell.

This is a new one on me, any one know anything about this?

Not new, it's called "spyware."

Probono · 05-06-2006, 05:33 PM

I have answered my own question
"This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks!

This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users).

Along with the spyware, he got the following:

His DNS settings were reset to a Russian DNS server.*
BackOrifice was installed.
Several Trojans that grab passwords were installed.
A fake antispyware application (UnSpyPC) was installed.
A Trojan that installs NEW spyware was installed.
Symantec Antivirus was disabled by a setting in the Registry.
Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry.

Routine scans caught the following:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

What a mess. Yuck.
We're copying data files to another PC and re-formatting.

hahahahaWHOIS results for 85.255.114.50 (the new DNS server)
hahahahaGenerated by www.DNSstuff.com
hahahahaLocation: Belarus
hahahahaInhoster hosting company
hahahahaOOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
----------------------------------------------------------------------------
*Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way:

The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever).
Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com".
The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process.
There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe.

Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site."

madawgz · 05-06-2006, 05:52 PM

there is a virus for everything, i wouldnt be surprised..

Incarnate · 05-06-2006, 05:56 PM

Very aggressive spyware popping up everywhere. Unless your users are slightly tech savy (and most infected with spyware aren't), they probably won't know what's going on. Someone recently mentioned to me how she was greeted with lots of popups and a different search engine when visiting google.com, thinking it was strange but nothing to worry about.

RawAlex · 05-06-2006, 06:05 PM

I caught a fuckwad fake TGP the other day trading traffic and infecting every single user. He is taking advantage of a sort of hole default setting on turbo traffic trader to fuck people over solid.

Go to the site, and BAM... three or four different hack attempts, the old window media explaoit, and a couple of others all in an attempt to take control of people's machines.

Fucking assholes will make the internet as fucking useless as email is now.

Alex

05-06-2006, 05:07 PM	#1
Probono Confirmed User Join Date: Oct 2002 Location: Under the Rainbow Posts: 2,731	Is there a Trojan that changes XP DNS settings? We have had a growing trickle of users contact us an tell us when they go one of our sites they get a blank screen or get hijacked to another site. After working with one user we found that even though he was in the US with a major ISP his DNS settings were set to a DNS server in the Ukraine. When we checked out the IP address being provided by that DNS server for our URL they were either blank or went to popup hell. This is a new one on me, any one know anything about this?

05-06-2006, 05:52 PM	#4
madawgz 8.8.8.8 Industry Role: Join Date: Mar 2006 Location: Noordermarkt Posts: 30,509	there is a virus for everything, i wouldnt be surprised.. __________________ TAEMDLRMSKRJIXMRLSMRJ.

05-06-2006, 05:33 PM	#3
Probono Confirmed User Join Date: Oct 2002 Location: Under the Rainbow Posts: 2,731	I have answered my own question "This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks! This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users). Along with the spyware, he got the following: His DNS settings were reset to a Russian DNS server.* BackOrifice was installed. Several Trojans that grab passwords were installed. A fake antispyware application (UnSpyPC) was installed. A Trojan that installs NEW spyware was installed. Symantec Antivirus was disabled by a setting in the Registry. Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry. Routine scans caught the following: Microsoft's Malicious Software Removal Tool caught nothing. Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher)) Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications. HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans. What a mess. Yuck. We're copying data files to another PC and re-formatting. hahahahaWHOIS results for 85.255.114.50 (the new DNS server) hahahahaGenerated by www.DNSstuff.com hahahahaLocation: Belarus hahahahaInhoster hosting company hahahahaOOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine ---------------------------------------------------------------------------- *Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way: The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever). Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com". The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process. There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe. Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site."

05-06-2006, 05:56 PM	#5
Incarnate Registered User Join Date: May 2006 Posts: 46	Very aggressive spyware popping up everywhere. Unless your users are slightly tech savy (and most infected with spyware aren't), they probably won't know what's going on. Someone recently mentioned to me how she was greeted with lots of popups and a different search engine when visiting google.com, thinking it was strange but nothing to worry about.

05-06-2006, 06:05 PM	#6
RawAlex So Fucking Banned Join Date: Oct 2003 Location: In a house. Posts: 9,465	I caught a fuckwad fake TGP the other day trading traffic and infecting every single user. He is taking advantage of a sort of hole default setting on turbo traffic trader to fuck people over solid. Go to the site, and BAM... three or four different hack attempts, the old window media explaoit, and a couple of others all in an attempt to take control of people's machines. Fucking assholes will make the internet as fucking useless as email is now. Alex