Re: DNS hacked/hijacked by the "Delude.B" trojan
From: Curious (rafay_at_rafay.info)
Date: 10/07/03
- Next message: bobby: "missing Administrative Tools icons"
- Previous message: Thomas Bert: "Local login and access WITHOUT NTFS-Permission"
- In reply to: Jonathan de Boyne Pollard: "DNS hacked/hijacked by the "Delude.B" trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Oct 2003 11:44:23 -0400
here is a Solution to this problem
http://clk.about.com/?zi=1/XJ&sdn=antivirus&zu=http%3A%2F%2Fvil.nai.com%2Fvi
l%2Fcontent%2Fv_100719.htm
-- Curious MCSE, CCNP "Jonathan de Boyne Pollard" <J.deBoynePollard@Tesco.NET> wrote in message news:3F7D536B.82068D14@Tesco.NET... > c> I'm having a strange problem [...] > c> [...] I looked my tcp/ip config and my dns servers were > c> set to something they shouldn't be! Usually it is on > c> automatically obtain. [...] The DNS addresses were: > c> 69.57.146.14 [and] 69.57.147.175 > c> I did ipconfig /displaydns and wow, I had tons of entries! > c> It filled a .txt file with 66kb worth of entries [...] > c> Now the weird part, they are all search engines! [...] > c> My dns cache won't get rid of those addresses. [...] > c> The first time I rebooted it Windows complained about command.com [...] > > You've been hit by the "Delude.B" trojan. This trojan uses a bug > in Microsoft's Internet Explorer (which, according to CERT Incident > Note IN-2003-04, has not been properly fixed) that allows web page > authors to write web pages that will cause Internet Explorer to > automatically download and execute whatever programs the web page > author desires. So at some point you've displayed a web page that > caused this trojan to be downloaded and run. > > The trojan changes the proxy DNS servers that your DNS Client is > configured to use, to the addresses of two machines assigned to > Everyone's Internet which were discovered to have been compromised > and which have since been taken out of service. The intent of the > attacker was clearly to run a proxy DNS service providing > name->address mappings of his/her choosing, in order to impersonate > services without your being any the wiser. > > The trojan also populates your "HOSTS" file with a large number > of entries, mapping the names of several widely used web sites to > an IP address whose content HTTP service the attacker intended to > control. The intent of the attacker was clearly, again, to > impersonate services without your being any the wiser. The fact that > these are search engines is not weird, therefore. > > The reason that flushing the DNS Client cache does not cause these > mappings to go away is that Microsoft's DNS Client automatically > initially populates its cache from the content of the "HOSTS" file. > You must edit the "HOSTS" file itself for these mappings to go away. > > The trojan does not stick around. It performs its task and then > deletes itself from the machine. Since running executables in Win32 > cannot delete themselves, it does this by spawning a command > interpreter, passing it a command script containing commands to > delete both the executable and the script. My educated guess is > that the NTVDM process running COMMAND was caused by a witless novice > coding error on the part of the author of the trojan: hard-wiring > "COMMAND" as the name of the command interpreter that it invokes > instead of looking at the value of the %COMSPEC% environment > variable to find what command interpreter to use, as one should. > > <URL:http://www.cert.org./incident_notes/IN-2003-04.html> > <URL:http://f-secure.com./v-descs/delude.shtml>
- Next message: bobby: "missing Administrative Tools icons"
- Previous message: Thomas Bert: "Local login and access WITHOUT NTFS-Permission"
- In reply to: Jonathan de Boyne Pollard: "DNS hacked/hijacked by the "Delude.B" trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
