Re: New Trojan?

[Keith <kbastin () mindspring com>]

In-Reply-To: <005201c45f92$b60ebe60$6e811299@HURON>

this reply is to an old message but I just encountered the problem described by the original poster (below) on one of 
my customers machines and eventually resolved the issue; I never saw a resolution posted online (here or anywhere else) 
so I am posting what I saw in case others search this list for this problem:

Basically the appearance is that mistyped URL's were getting redirected to netidentity.com.

I dropped to dos and did pings and observed that even ping was getting redirected to netidentity.com (via a dns 
resolution that gave 64.15.175.5 as the result of the query). Almost any bad query would return this ip address. 

I kicked off my sniffer and observed that the first query would go out with the mistyped url exactly as it was typed in 
the browser and that query would fail, the workstation would then append the default domain string to the end of the 
dns query and resend the query. (For example if I have smith.com as my domain name and i query for testbadname.com the 
first query is to testbadname.com (which fails) and the second dns query is to testbadname.com.smith.com.)  

My customer was using (customername).com as his idomain and the authority for (customername).com is netidentity (a 
squatter that registered 15,000+ personal names) and any dns query directed to them is returned as an A record pointing 
to 64.15.175.5 

I 'resolved' it on this customer by going into nework properties/TCP/IP Settings/advanced/dns and changing the default 
option  (Append primary and connection specific dns suffixes). Clearing this option stops his dns resolver from 
appending his domain name to the mistyped url and he is no longer redirected to netidentity.com. 

regards
Keith


> > ----- Original Message -----
> > From: "Jeff" <Jeff@Not_A_Real_Address.com.telenet-ops.be>
> > To: <security-basics () securityfocus com>
> > Sent: Monday, June 28, 2004 8:14 PM
> > Subject: New Trojan?
> >
> >
> > > PLEASE READ ... I feel violated and need much help, if not for
> > > the PC, for my nerves.
> > >
> > > The PC is a WinXP box, fully patched, routinely checked with
> > > Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> > > use Thunderbird 0.6 and Firefox 0.8. All other family members
> > > run Thunderbird on this box. IE6 has not bee removed but is
> > > fully patched.
> > >
> > > Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> > > is running. (I purposely purchased the licenses at work for
> > > our home users also so that they WOULD stay up to date -- a
> > > practice I learned from Sprint a long, long time ago.)
> > >
> > > I use a Netgear FVS318 to interface to my Verizon DSL account.
> > >
> > > The events as they happened.
> > >
> > > 1. My son read his email via the web. It included e-cards.
> > >     He read them. Doesn't remember where they took him, nor
> > >     does he remember if he used IE6 or Firefox.
> > >
> > > 2. Long screaming session about things TO do and things NOT
> > >     to do while on the internet. 278th time. Disabled his account.
> > >
> > > 3. Mis-typing a URL will now take me automatically to
> > >     www.netidentity.com with the mistaken URL clearly
> > >     identified inside. Identical results on IE6 and Firefox.
> > >     Java and Javascript are disabled on Firefox. I leave IE6
> > >     alone because I use it when I absolutely must go to some
> > >     bogus activex site, oh, and windowsupdate. But I don't use
> > >     it otherwise. I always use Firefox.
> > >
> > >     URLs that caused this include: mapblast, mapquest, abc, def
> > >     ... through xyz.
> > >
> > >     Please note: I had typed "mapblast" but had hit Enter rather
> > >     than Ctrl-Enter, by mistake. The URLs entered are literally
> > >     those listed, just the word.
> > >
> > >     They are then transformed to http://mapblast/
> > >
> > > 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> > >     updates and the entire system was scanned. Nothing found.
> > >
> > > ** My immediate thought was that Network Solutions was up to thier
> > > ** old tricks with it's Site Finder business. A quick check of
> > > ** another PC in the house eliminated that.
> > >
> > > 5. I checked my syslogs and NULL routed the IP address being used
> > >     to access www.netidentity.com. The same page comes up sans the
> > >     graphics and the flash. The web page is still there though, just
> > >     looking sad. Another check of the syslogs brings up 64.15.175.5
> > >     as generating the pages, an open proxy.
> > >
> > > 6. Also ran HiJackThis and went through ALL of the items on it.
> > >     Nada. Couldn't find the IP addresses or domain names in the
> > >     registry. I also ran them in reverse notation. Nada.
> > >
> > > 7. Checked my network settings to make certain that some new DNS
> > >     server wasn't stuck in. Nope, still set to use the Netgear box.
> > >     Put 4 different DNS servers in -- still get that stupid site.
> > >
> > > 8. That was all at lunchtime. Haven't had a chance to run netstat
> > >     or Ethereal to gain any additional clues.
> > >
> > > ZOIKS!!!
> > >
> > > The PC is off. But NOT knowing what is going on is driving
> > me insane.
> > > So while I <ahem> work this afternoon, I thought I would see if any
> > > of this sounds, smells or <insert fav sense here) like anything that
> > > anyone has seen before!
> > >
> > > Jeff