New Exploit

Discussion in 'Windows Desktop Systems' started by Invision, Oct 1, 2003.

  1. Invision

    Invision Guest

    i been getting multiple ws on my network where the DNS are being change by a malicious code

    I didn't find anything at Symantec or Microsoft, but I found this on ARIN WHOIS search:

    http://ws.arin.net/cgi-bin/whois.pl

    Search results for: 69.57.146.14
    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Frwy., Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US

    NetRange: 69.57.128.0 - 69.57.159.255
    CIDR: 69.57.128.0/19
    NetName: EVRY-BLK-13
    NetHandle: NET-69-57-128-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate: 2003-06-20
    Updated: 2003-07-02

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-400-5400
    OrgTechEmail: admin@ev1.net

    # ARIN WHOIS database, last updated 2003-09-30 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Search results for: 69.57.147.175
    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Frwy., Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US

    NetRange: 69.57.128.0 - 69.57.159.255
    CIDR: 69.57.128.0/19
    NetName: EVRY-BLK-13
    NetHandle: NET-69-57-128-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate: 2003-06-20
    Updated: 2003-07-02

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-400-5400
    OrgTechEmail: admin@ev1.net

    # ARIN WHOIS database, last updated 2003-09-30 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    And here is the tracert data:

    C:\>tracert 69.57.146.14

    Tracing route to 69.57.146.14 over a maximum of 30 hops

    1 <10 ms <10 ms <10 ms 10.22.2.3
    2 <10 ms 15 ms <10 ms 10.22.14.5
    3 16 ms <10 ms <10 ms 10.90.248.14
    4 <10 ms <10 ms <10 ms 10.90.250.90
    5 <10 ms <10 ms <10 ms 10.90.250.126
    6 <10 ms <10 ms <10 ms 10.90.250.157
    7 16 ms 15 ms 16 ms 10.90.253.201
    8 16 ms 15 ms 31 ms 10.241.7.37
    9 31 ms 31 ms 32 ms 10.241.7.97
    10 32 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
    11 16 ms 15 ms 16 ms fw-col-01.msdwis.com [204.115.161.61]
    12 32 ms 31 ms 31 ms 4.17.247.193
    13 31 ms 32 ms 15 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
    14 47 ms 47 ms 31 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
    15 15 ms 32 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
    16 31 ms 31 ms 31 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
    17 32 ms 31 ms 31 ms unknown.Level3.net [64.159.4.1]
    18 47 ms 47 ms 47 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
    19 31 ms 47 ms 47 ms unknown.Level3.net [166.90.80.38]
    20 47 ms 32 ms 31 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
    21 78 ms 62 ms 78 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
    22 63 ms 78 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
    23 63 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
    24 78 ms 78 ms 78 ms 168.215.172.45
    25 63 ms 62 ms 63 ms 216.54.253.2
    26 63 ms 62 ms 63 ms 207.218.245.42
    27 78 ms 94 ms 78 ms 69.57.146.14

    Trace complete.

    C:\>tracert 69.57.147.175

    Tracing route to 69.57.147.175 over a maximum of 30 hops

    1 <10 ms <10 ms <10 ms 10.22.2.3
    2 <10 ms <10 ms <10 ms 10.22.14.5
    3 <10 ms <10 ms <10 ms 10.90.248.14
    4 <10 ms <10 ms <10 ms 10.90.250.90
    5 <10 ms <10 ms 16 ms 10.90.250.126
    6 <10 ms <10 ms <10 ms 10.90.250.157
    7 16 ms 16 ms 31 ms 10.90.253.201
    8 31 ms 16 ms 31 ms 10.241.7.37
    9 31 ms 32 ms 31 ms 10.241.7.97
    10 31 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
    11 31 ms 16 ms 31 ms fw-col-01.msdwis.com [204.115.161.61]
    12 47 ms 31 ms 47 ms 4.17.247.193
    13 16 ms 16 ms 31 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
    14 47 ms 47 ms 47 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
    15 31 ms 31 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
    16 31 ms 31 ms 32 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
    17 47 ms 31 ms 32 ms unknown.Level3.net [64.159.4.1]
    18 47 ms 32 ms 46 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
    19 46 ms 47 ms 32 ms unknown.Level3.net [166.90.80.38]
    20 32 ms 46 ms 32 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
    21 63 ms 78 ms 63 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
    22 78 ms 63 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
    23 78 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
    24 78 ms 78 ms 62 ms 168.215.172.45
    25 63 ms 62 ms 63 ms 216.54.253.2
    26 63 ms 62 ms 78 ms 207.218.245.42
    27 78 ms 78 ms 79 ms 69.57.147.175

    Trace complete.

    Also, in a browser these two IPs resolve to a default Apache test page

    Anyone else haviong this problem ???
     
  2. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    We have had a couple reports of this on a few PCs here in our offices.
     
  3. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    as discoverd by mosaic1

    you can create an alternative location for the hosts file and use it.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
    Parameters

    Look for this expandable string value
    DataBasePath
    The default is

    %SystemRoot%\System32\drivers\etc

    Change that to a new path and open a new ie

    My hosts in drivers\etc was ignored.
     
  4. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    this does not affect your HOSTS file. It is a change to the DNS settings on the PC.
     
  5. Invision

    Invision Guest

    True

    but the process might be the same
     
  6. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    This problem can be fixed by reselecting DHCP for your DNS settings. It resets the registry hive and removes the static DNS addresses. That is all you must do. I am still curious to find out where this is comming from though.
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    I am currently aware of something that may be related however i have no information regarding a new exploit of this nature.

    I will look into it a little more.
     
  8. Invision

    Invision Guest

    check this out

    ****************

    Hijacking is a type of network security attack in which the attacker takes control of a communication - just as an airplane hijacker takes control of a flight - between two entities and masquerades as one of them. In one type of hijacking (also known as a man in the middle attack), the perpetrator takes control of an established connection while it is in progress. The attacker intercepts messages in a public key exchange and then retransmits them, substituting their own public key for the requested one, so that the two original parties still appear to be communicating with each other directly. The attacker uses a program that appears to be the server to the client and appears to be the client to the server. This attack may be used simply to gain access to the messages, or to enable the attacker to modify them before retransmitting them.
    Hijacking is also used to make it appear that one or more Web sites have been taken over. There are two different types of domain name system (DNS) hijacking. In one, the attacker gains access to DNS records on a server and modifies them so that requests for the genuine Web page will be redirected elsewhere - usually to a fake page that the attacker has created. This gives the impression to the viewer that the Web site has been compromised, when in fact, only a server has been. In February 2000, an attacker hijacked RSA Security's Web site by gaining access to a DNS server that was not controlled by RSA. By modifying DNS records, the attacker diverted requests to a spoof Web site. It appeared to users that an attacker had gained access to the actual RSA Web site data and changed it - a serious problem for a security enterprise. This type of hijacking is difficult to prevent, because administrators control only their own DNS records, and have no control over upstream DNS servers. In the second type of DNS hijack, the attacker spoofs valid e-mail accounts and floods the inboxes of the technical and administrative contacts. This type of attack can be prevented by using authentication for InterNIC records.

    In another type of Web site hijack, the perpetrator simply registers a domain name similar enough to a legitimate one that users are likely to type it, either by mistaking the actual name or through a typo. This type of hijack is currently being employed to send many unwary citizens to porn sites when they were attempting to visit official Web

    *************

    still looking into it
     
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    The two systems rap sheets:

    http://www.mynetwatchman.com/LID.asp?IID=48971313
    http://www.mynetwatchman.com/LID.asp?IID=49109307

    While im aware of several trojans and other malware that hijack DNS settings i am not aware of a present exploit to this end, there is nothing of this type around on the security/insecurity sites.

    Please verify the systems are clean of the usual suspects. Please also note there appear to be a couple of currently undetected DDoS tools in circulation that may cause this behaviour. I suggest you check in depth systems displaying this behaviour and not rely on automated detection tools.

    Traffic to DNS servers should be limited to your ISP DNS server(s) using your firewall solution.
     
  10. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    I can add this. Where I work we run a very paranoid network. All of our PCs are kept within' 2 weeks of all security patches, norton is managed and running on all of our PCs and up to date. We run websense and block out as much content as we can. We do not have any unnecessary ports open. We run Lotus Notes and have outlook disabled through GPO. The only way I can see that this may have gotten on our network would be through an attachment. Our users do not have rights to be able to install files in system critical parts of the OS. None of the users have actually fessed up to opening attachments, but that would have to be the only way.
     
  11. Enyo

    Enyo Moderator

    Messages:
    1,338
    I am not saying thats the cause. I am just thinking out loud. I would however imagine it is a binary that makes the changes rather than a OS exploit.

    I have just got some new info about this.

    http://article.gmane.org/gmane.comp.security.ntbugtraq/974

    http://tinyurl.com/pcqf
     
  12. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    I know that this much is done....

    Just curious to find out where it's comming from
     
  13. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    that information was forwarded to use about 11pm last night.
     
  14. Enyo

    Enyo Moderator

    Messages:
    1,338
    We all do, but nobody knows. This seems to have escaped us.

    Process lists of any compromised systems would be handy.
     
  15. Enyo

    Enyo Moderator

    Messages:
    1,338
    Yea its been on ntbugtraq for a while, ive only just seen it however.

    Update:

    From here
     
  16. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    Man... it looks like everyone wants to know what this is. It's not a hard fix and in the whole scheme of things it's not very malicious, but it's a pain. I frequent 4 different forums and this is the first one that anyone even began talking about this. MSFN doesn't even have a thread on this yet. I guess the majority of people who are bothered by this probably don't have the smarts to fix it.
     
  17. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    EV1.net is rackshack, so id have to say that someone is using Servers on rackshack's network to have users use wrong DNS entries. Email rackshack, and they could take the server offline :).
     
  18. Enyo

    Enyo Moderator

    Messages:
    1,338
    True, it will take time for end users to realise anything has happened, you know what they are like.
     
  19. Enyo

    Enyo Moderator

    Messages:
    1,338
    http://sarc.com/avcenter/venc/data/trojan.qhosts.html
    http://vil.nai.com/vil/content/v_100719.htm
     
  20. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    enyo, you told us about this vulnerability some time ago here

    back then I told everybody let's not get caught with pants down like we did with blaster, and to ask for prompt all active x


    so you were on this before it happened

    shame though that it looks like dissabling active x might not even stop the execution, according to the last couple of sentences in that dialogue