lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200310011633.33190.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Mystery DNS Changes

On Wednesday 01 October 2003 03:19 pm, Hansen, Kevin wrote:
> We have seen multiple instances where DHCP enabled workstations have
> had their DNS reconfigured to point to two of the three addresses
> listed below. Can anyone else confirm this? Incidents.org is
> reporting an increase in port 53 traffic over the last two days. Are
> we looking at the precursor to the next worm?
>
> 216.127.92.38
> 69.57.146.14
> 69.57.147.175

The top DNS server change was made by a newer variant of the 
Delude/Startpage trojan. It used to add bogus entries in the 
system32\drivers\etc\hosts file, but lately has begun to change the 
user's DNS registry settings as well. It hijacks the user's traffic to 
and from major search engines, redirecting it to a single webserver 
under the control of the trojan author. Any requested search pages have 
popup ads for gambling/porn site registration, presumably because the 
trojan author is getting money for registrations via affiliate 
programs.

It is being installed via the MS03-032 IE object tag exploit. A scan of 
the system may not turn up any infected files - this trojan does not 
run at startup, and deletes its files after the DNS/hosts configuration 
changes are complete.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ