Full Disclosure mailing list archives

RE: Mystery DNS Changes

From: "Randal, Phil" <prandal () herefordshire gov uk>
Date: Thu, 2 Oct 2003 13:31:06 +0100

NAI has this as QHosts-1, and says MS03-032 does NOT protect against it:

  http://vil.nai.com/vil/content/v_100719.htm

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: Joe Stewart [mailto:jstewart () lurhq com]
Sent: 01 October 2003 21:34
To: full-disclosure-orig () netsys com
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Mystery DNS Changes


On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote:

We have seen multiple instances where DHCP enabled workstations have
had their DNS reconfigured to point to two of the three addresses
listed below. Can anyone else confirm this? Incidents.org is
reporting an increase in port 53 traffic over the last two days. Are
we looking at the precursor to the next worm?

216.127.92.38
69.57.146.14
69.57.147.175


The top DNS server change was made by a newer variant of the 
Delude/Startpage trojan. It used to add bogus entries in the 
system32\drivers\etc\hosts file, but lately has begun to change the 
user's DNS registry settings as well. It hijacks the user's 
traffic to 
and from major search engines, redirecting it to a single webserver 
under the control of the trojan author. Any requested search 
pages have 
popup ads for gambling/porn site registration, presumably because the 
trojan author is getting money for registrations via affiliate 
programs.

It is being installed via the MS03-032 IE object tag exploit. 
A scan of 
the system may not turn up any infected files - this trojan does not 
run at startup, and deletes its files after the DNS/hosts 
configuration 
changes are complete.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Mystery DNS Changes, (continued)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
  - Re: Mystery DNS Changes Paul Tinsley (Oct 01)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes *Hobbit* (Oct 01)
  - RE: Mystery DNS Changes Kurt (Oct 02)
- RE: Mystery DNS Changes Andre Ludwig (Oct 01)
- RE: Mystery DNS Changes Randal, Phil (Oct 02)
  - Re: Mystery DNS Changes Joe Stewart (Oct 02)
  - Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 02)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 02)
  - Re: Mystery DNS Changes KF (Oct 02)
- RE: Mystery DNS Changes Mike O'Connor (Oct 03)
  - RE: Mystery DNS Changes Paul Schmehl (Oct 03)
  - RE: Mystery DNS Changes Nick FitzGerald (Oct 03)
- RE: Mystery DNS Changes Dowling, Gabrielle (Oct 03)
- Mystery DNS Changes Mike O'Connor (Oct 04)