Full Disclosure mailing list archives
Re: Mystery DNS Changes
From: Paul Tinsley <pdt () jackhammer org>
Date: Thu, 02 Oct 2003 08:20:37 -0500
Ya, there is a tiny line on page 3 of the security buleten that says that it doesn't fix the Object Type Vulnerability. Awful nice of them to let people know...
Also they haven't commited to a date that a working patch will be available, end of October is the best I have heard.
To make it worse all the AV vendors are basing their signatures off of the AOLFIX.EXE instead of the behavior that allows the problem. So v1.1 will have no problem making it through the gates.
And Microsofts mitigation suggestions are to set ActiveX to prompt in the Intranet and Internet zones... right, cause end users aren't already trained to hit yes to every box that shows up.
Randal, Phil wrote:
NAI has this as QHosts-1, and says MS03-032 does NOT protect against it: http://vil.nai.com/vil/content/v_100719.htm Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire CouncilHereford, UK-----Original Message----- From: Joe Stewart [mailto:jstewart () lurhq com] Sent: 01 October 2003 21:34 To: full-disclosure-orig () netsys com Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Mystery DNS Changes On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote:The top DNS server change was made by a newer variant of the Delude/Startpage trojan. It used to add bogus entries in the system32\drivers\etc\hosts file, but lately has begun to change the user's DNS registry settings as well. It hijacks the user's traffic to and from major search engines, redirecting it to a single webserver under the control of the trojan author. Any requested search pages have popup ads for gambling/porn site registration, presumably because the trojan author is getting money for registrations via affiliate programs.We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175It is being installed via the MS03-032 IE object tag exploit. A scan of the system may not turn up any infected files - this trojan does not run at startup, and deletes its files after the DNS/hosts configuration changes are complete.-Joe --Joe Stewart, GCIH Senior Security ResearcherLURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Mystery DNS Changes, (continued)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- RE: Mystery DNS Changes Kurt (Oct 02)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: Mystery DNS Changes KF (Oct 02)
- RE: Mystery DNS Changes Paul Schmehl (Oct 03)
- RE: Mystery DNS Changes Nick FitzGerald (Oct 03)