GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Is there a Trojan that changes XP DNS settings? (https://gfy.com/showthread.php?t=606654)

Probono 05-06-2006 05:07 PM
Is there a Trojan that changes XP DNS settings?
 
We have had a growing trickle of users contact us an tell us when they go one of our sites they get a blank screen or get hijacked to another site. After working with one user we found that even though he was in the US with a major ISP his DNS settings were set to a DNS server in the Ukraine. When we checked out the IP address being provided by that DNS server for our URL they were either blank or went to popup hell.

This is a new one on me, any one know anything about this?

SomeCreep 05-06-2006 05:08 PM
Quote:
Originally Posted by Probono
We have had a growing trickle of users contact us an tell us when they go one of our sites they get a blank screen or get hijacked to another site. After working with one user we found that even though he was in the US with a major ISP his DNS settings were set to a DNS server in the Ukraine. When we checked out the IP address being provided by that DNS server for our URL they were either blank or went to popup hell.

This is a new one on me, any one know anything about this?
Not new, it's called "spyware."

Probono 05-06-2006 05:33 PM
I have answered my own question
"This is why I recommend that most people simply re-format their PC when contaminated by most spyware. Note that all the software and settings listed below happened after two mouse clicks!

This morning, I examined a client's XP Professional PC. He'd accidentally clicked on and installed some spyware last Friday. He was on a Domain and had Power User credentials (big mistake). The same would happen to a non-Domain user who was logged in with Administrator rights (like 99.9% of home users).

Along with the spyware, he got the following:

His DNS settings were reset to a Russian DNS server.*
BackOrifice was installed.
Several Trojans that grab passwords were installed.
A fake antispyware application (UnSpyPC) was installed.
A Trojan that installs NEW spyware was installed.
Symantec Antivirus was disabled by a setting in the Registry.
Multiple spyware and trojan programs were installed as "Run at boot" programs in the Registry.

Routine scans caught the following:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

What a mess. Yuck.
We're copying data files to another PC and re-formatting.

hahahahaWHOIS results for 85.255.114.50 (the new DNS server)
hahahahaGenerated by www.DNSstuff.com
hahahahaLocation: Belarus
hahahahaInhoster hosting company
hahahahaOOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
----------------------------------------------------------------------------
*Pay close attention to the resetting of the DNS services. This is REALLY nasty. It works this way:

The client types in "www.wellsfargo.com" or "www.bankofamerica.com" in his browser (IE or whatever).
Instead of going to Qwest DNS server, his computer goes to the Russian DNS server to resolve the location of "www.wellsfargo.com" or "www.bankofamerica.com".
The Russian DNS server sends the browser to a FAKE Russian site and a fake bank's web site comes up in the browser (ANY browser) and offers to serve him, stealing his account information in the process.
There's NO way to know that you aren't in the 'real' site. You MANUALLY typed, "www.wellsfargo.com" in the browser, so you figure you are safe.

Would most people catch the DNS reassignment? The only reason I noticed it was that I couldn't access an INTERNAL company web site (http://Companyweb, hosted by the company's SBS 2003 server). The PC was able to resolve other PCs on the network (via NetBIOS) and the Russian DNS server pointed to external web sites just fine. But you'd NEVER know it when that Russian DNS server decided to send your next web request to a fake site."

madawgz 05-06-2006 05:52 PM
there is a virus for everything, i wouldnt be surprised..

Incarnate 05-06-2006 05:56 PM
Very aggressive spyware popping up everywhere. Unless your users are slightly tech savy (and most infected with spyware aren't), they probably won't know what's going on. Someone recently mentioned to me how she was greeted with lots of popups and a different search engine when visiting google.com, thinking it was strange but nothing to worry about.

RawAlex 05-06-2006 06:05 PM
I caught a fuckwad fake TGP the other day trading traffic and infecting every single user. He is taking advantage of a sort of hole default setting on turbo traffic trader to fuck people over solid.

Go to the site, and BAM... three or four different hack attempts, the old window media explaoit, and a couple of others all in an attempt to take control of people's machines.

Fucking assholes will make the internet as fucking useless as email is now.

Alex


All times are GMT -7. The time now is 09:12 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123