Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: [Full-Disclosure] Mystery DNS Changes
.

  • To: [EMAIL PROTECTED]
  • Subject: RE: [Full-Disclosure] Mystery DNS Changes
  • From: "Randal, Phil" <[EMAIL PROTECTED]>
  • Date: Thu, 2 Oct 2003 13:31:06 +0100
  • Sender: [EMAIL PROTECTED]
.
 
NAI has this as QHosts-1, and says MS03-032 does NOT protect against it:

  http://vil.nai.com/vil/content/v_100719.htm

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: Joe Stewart [mailto:[EMAIL PROTECTED]
> Sent: 01 October 2003 21:34
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Mystery DNS Changes
> 
> 
> On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote:
> > We have seen multiple instances where DHCP enabled workstations have
> > had their DNS reconfigured to point to two of the three addresses
> > listed below. Can anyone else confirm this? Incidents.org is
> > reporting an increase in port 53 traffic over the last two days. Are
> > we looking at the precursor to the next worm?
> >
> > 216.127.92.38
> > 69.57.146.14
> > 69.57.147.175
> 
> The top DNS server change was made by a newer variant of the 
> Delude/Startpage trojan. It used to add bogus entries in the 
> system32\drivers\etc\hosts file, but lately has begun to change the 
> user's DNS registry settings as well. It hijacks the user's 
> traffic to 
> and from major search engines, redirecting it to a single webserver 
> under the control of the trojan author. Any requested search 
> pages have 
> popup ads for gambling/porn site registration, presumably because the 
> trojan author is getting money for registrations via affiliate 
> programs.
> 
> It is being installed via the MS03-032 IE object tag exploit. 
> A scan of 
> the system may not turn up any infected files - this trojan does not 
> run at startup, and deletes its files after the DNS/hosts 
> configuration 
> changes are complete.
> 
> -Joe
> 
> -- 
> Joe Stewart, GCIH 
> Senior Security Researcher
> LURHQ Corporation
> http://www.lurhq.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.