| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jstewart at lurhq.com (Joe Stewart) Subject: Mystery DNS Changes On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote: > We have seen multiple instances where DHCP enabled workstations have > had their DNS reconfigured to point to two of the three addresses > listed below. Can anyone else confirm this? Incidents.org is > reporting an increase in port 53 traffic over the last two days. Are > we looking at the precursor to the next worm? > > 216.127.92.38 > 69.57.146.14 > 69.57.147.175 The top DNS server change was made by a newer variant of the Delude/Startpage trojan. It used to add bogus entries in the system32\drivers\etc\hosts file, but lately has begun to change the user's DNS registry settings as well. It hijacks the user's traffic to and from major search engines, redirecting it to a single webserver under the control of the trojan author. Any requested search pages have popup ads for gambling/porn site registration, presumably because the trojan author is getting money for registrations via affiliate programs. It is being installed via the MS03-032 IE object tag exploit. A scan of the system may not turn up any infected files - this trojan does not run at startup, and deletes its files after the DNS/hosts configuration changes are complete. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/
Powered by blists - more mailing lists