Feds shift DNSChanger cut-off deadline to July

[Virus Guy]

Can anyone explain why the replacement DNS server being operated by the
"white-hats" (ie - the feds) doesn't include a method to inject or
display a message to users in their browser window telling them that
their system is infected and/or has ****ed-up DNS settings and give them
a link to follow for more information, yada yada, etc ?

================================================== ==============

Feds shift DNSChanger cut-off deadline to July

http://www.theregister.co.uk/2012/03..._net_extended/

Posted in Malware, 9th March 2012 18:07 GMT

The FBI's DNSChanger deadline extension has been approved by a US
Federal Court, buying infected punters more time to clean up their
systems.

The move means that machines riddled with the Trojan will still be able
to use temporary DNS servers to resolve internet addresses until 9 July.
Before the order was granted, infected machines would not have been able
to surf the web or handle email properly after 8 March, the previous
expiry date of the safety net.

Deployed initially by cyber-crooks, DNSChanger screwed with domain name
system (DNS) settings to direct surfers to rogue servers - which
hijacked web searches and redirected victims to dodgy websites as part
of a long-running click-fraud and scareware distribution scam.

The FBI stepped in and dismantled the botnet's command-and-control
infrastructure back in November, as part of Operation GhostClick.

To keep nobbled computers working properly, legitimate servers were set
up by the Feds to replace the rogue DNS servers, under the authority of
a temporary court order that has now been extended. But this effort did
nothing by itself to clean up infected machines.

As many as four million computers were infected at the peak of the
botnet's activity.

An updated study by security firm Internet Identity revealed that there
has been a "dramatic decrease" in the number of Fortune 500 companies
and US federal agencies with DNSChanger on their networks.

IID found at least 94 of all Fortune 500 companies and three out of 55
major government entities had at least one computer or router that was
infected with DNSChanger as of 23 February, 2012. This is a sharp drop
from the 250 out of 500 Fortune 500 companies found to be infected a few
weeks prior to its latest survey – providing evidence that the clean-up
operation has finally clicked into gear.

More information on how to clean up infected machines, and other
resources, can be found on the DNS Changer Working Group website here

http://dcwg.org/cleanup.html

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5B7BE8.CAB3362F@Guy.com:

> Can anyone explain why the replacement DNS server being operated by
> the "white-hats" (ie - the feds) doesn't include a method to inject
> or display a message to users in their browser window telling them
> that their system is infected and/or has ****ed-up DNS settings and
> give them a link to follow for more information, yada yada, etc ?

Too funny. Dude, google DNS server. A DNS server could redirect you to
another website, but it can't uhh, inject or display a message into your
browser on it's own. lol. It just translates domains to numbers for the
computer, bro. hehehe...


> As many as four million computers were infected at the peak of the
> botnet's activity.

Saddening from a security aspect point of view. DNSChanger wasn't a
complicated critter, neat from what it did, but not actually complicated
from code perspective.. Scary eh? The fact it got so many machines tells
me people don't learn.

This article makes it sound like dnschanger got the worlds dns servers
and tricked everybody. That's not what happened. Some rogue servers were
running, and dns changer changed local tcpip settings and router
settings (it would login just as you would, if the router was still
using default password) to point to those new dns servers.

If your router got hit, bad security on you! Change the default login
password. If your box tcpip settings got changed; You were using admin
level when you shouldn't have been!

> An updated study by security firm Internet Identity revealed that
> there has been a "dramatic decrease" in the number of Fortune 500
> companies and US federal agencies with DNSChanger on their networks.

Jeeze. Not smalltime systems either.



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts

[Virus Guy]

Dustin wrote:

> > Can anyone explain why the replacement DNS server being operated
> > by the "white-hats" (ie - the feds) doesn't include a method to
> > inject or display a message to users in their browser window
> > telling them that their system is infected and/or has ****ed-up
> > DNS settings and give them a link to follow for more information,
> > yada yada, etc ?
>
> Too funny. Dude, google DNS server.
> hehehe...

The joke's on you, dumb ass.

Google DNS hijacking for displaying advertisements.

ISP's have been doing this for years.

[FromTheRafters]

Virus Guy wrote:
> Dustin wrote:
>
>>> Can anyone explain why the replacement DNS server being operated
>>> by the "white-hats" (ie - the feds) doesn't include a method to
>>> inject or display a message to users in their browser window
>>> telling them that their system is infected and/or has ****ed-up
>>> DNS settings and give them a link to follow for more information,
>>> yada yada, etc ?
>>
>> Too funny. Dude, google DNS server.
>> hehehe...
>
> The joke's on you, dumb ass.
>
> Google DNS hijacking for displaying advertisements.
>
> ISP's have been doing this for years.

LOL.

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> Dustin wrote:
>
>>> Can anyone explain why the replacement DNS server being operated
>>> by the "white-hats" (ie - the feds) doesn't include a method to
>>> inject or display a message to users in their browser window
>>> telling them that their system is infected and/or has ****ed-up
>>> DNS settings and give them a link to follow for more information,
>>> yada yada, etc ?
>>
>> Too funny. Dude, google DNS server.
>> hehehe...
>
> The joke's on you, dumb ass.
>
> Google DNS hijacking for displaying advertisements.
>
> ISP's have been doing this for years.

I use 8.8.8.8 and don't see that.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> > Google DNS hijacking for displaying advertisements.
> >
> > ISP's have been doing this for years.
>
> I use 8.8.8.8 and don't see that.

I didn't say that google was doing that.

I said to use google to do a search to see who is.

One result:

==========
http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs

A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
hijacking for their own purposes, such as displaying advertisements[17]
or collecting statistics.
===========

The hijack is usually used when a query is made for a non-existant
domain and the DNS server returns a result that points to a server
providing some sort of alternate content - usually containing
advertising - instead of the user seeing a 404 or some other browser
error.

The file-sharing / file-downloading domains that were "hijacked" by the
DOJ/ICE over the past few years are a good example of this (ie-
tvshack.net and many others).

The idea extends to DNS servers that operate in conjunction with content
servers that can generate the web-pages being sought by the user in real
time by accessing the real web page the user was browsing to, with the
intent of replacing in-page advertising with other advertising, or
adding a top or bottom banner ad.

I'm surprised I have to inform this concept to the readers of this
group.

I was wondering why, in this case of operating a white-hat DNS server
for the benefit of thousands or hundreds of thousands of trojanized
PC's, that this technique of injecting a banner-ad wasn't being done.

This would allow the users of those PC's to see a "friendly message" as
a banner ad on any website they browse to, telling them that their PC or
router has been hacked or trojanized - and how to remedy the situation.

Those users may not believe that they are seeing a benevolent (as
opposed to a malicious) message, but the effect nonetheless would be to
tweak them into thinking that something might be wrong with their system
and to seek out some trusted third-party remedy on their own.

[FromTheRafters]

Virus Guy wrote:

> The idea extends to DNS servers that operate in conjunction with content
> servers that can generate the web-pages being sought by the user in real
> time by accessing the real web page the user was browsing to, with the
> intent of replacing in-page advertising with other advertising, or
> adding a top or bottom banner ad.
>
> I'm surprised I have to inform this concept to the readers of this
> group.

So am I, you make it sound like it's a new thing.

> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.

I think it's because it isn't being done by the DNS server, but is being
done by the ISP modifying the response *from* the DNS server.

Perhaps the authorities would have to 'take over' the ISPs *not* the DNS
servers in order to do as you suggest?

[...]

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>>> Google DNS hijacking for displaying advertisements.
>>>
>>> ISP's have been doing this for years.
>>
>> I use 8.8.8.8 and don't see that.
>
> I didn't say that google was doing that.
>
> I said to use google to do a search to see who is.
>
> One result:
>
> ==========
> http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs
>
> A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
> Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
> Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
> Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
> Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
> hijacking for their own purposes, such as displaying advertisements[17]
> or collecting statistics.
> ===========
>
> The hijack is usually used when a query is made for a non-existant
> domain and the DNS server returns a result that points to a server
> providing some sort of alternate content - usually containing
> advertising - instead of the user seeing a 404 or some other browser
> error.
>
> The file-sharing / file-downloading domains that were "hijacked" by the
> DOJ/ICE over the past few years are a good example of this (ie-
> tvshack.net and many others).
>
> The idea extends to DNS servers that operate in conjunction with content
> servers that can generate the web-pages being sought by the user in real
> time by accessing the real web page the user was browsing to, with the
> intent of replacing in-page advertising with other advertising, or
> adding a top or bottom banner ad.
>
> I'm surprised I have to inform this concept to the readers of this
> group.
>
> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.
>
> This would allow the users of those PC's to see a "friendly message" as
> a banner ad on any website they browse to, telling them that their PC or
> router has been hacked or trojanized - and how to remedy the situation.
>
> Those users may not believe that they are seeing a benevolent (as
> opposed to a malicious) message, but the effect nonetheless would be to
> tweak them into thinking that something might be wrong with their system
> and to seek out some trusted third-party remedy on their own.

OK.

I think I know hat you are talking about now.

When a website is shutdown, it is often "parked" and the parked page does
indeed show advertisement content and this is done by the hosting company
and doesn't have to do with a DNS server. The DNS server jolust points to
the hosting companies parked page that is used to display the adverttising
content.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

FromTheRafters wrote:

> > I'm surprised I have to inform this concept to the readers of this
> > group.
>
> you make it sound like it's a new thing.

How so?

I was not implying that it is a new thing.

> > I was wondering why, in this case of operating a white-hat DNS
> > server for the benefit of thousands or hundreds of thousands of
> > trojanized PC's, that this technique of injecting a banner-ad
> > wasn't being done.
>
> I think it's because it isn't being done by the DNS server,

When-ever or where-ever it's done, the DNS server has to be involved for
the method to work. Whether or not the DNS server is also used as the
surrogate web server used to inject the ad-content is just an academic
question.

If you want ad-content to be injected, and if you already are operating
a "rogue" DNS server (either black or white hat) that is being used by
some population of comprimized PC's, then you have the ability to inject
the ads just by altering the software on your DNS server.

> Perhaps the authorities would have to 'take over' the ISPs *not*
> the DNS servers in order to do as you suggest?

No.

This issue pertains to a population of trojanized PC's or routers with
altered DNS settings. The PC's or routers have their DNS settings
pointing to a malicious server or servers (by way of a malicious IP
address I would guess).

Now someone somewhere (law enforcement) has granted a white-hat the
ability to route that DNS traffic away from the malicious IP address and
instead to his own server. I'm saying go the extra step and have that
server generate a banner ad telling the fools with comprimized systems
that they need to have their PC or router looked at and decontaminated.

The ISP's of those comprimized systems play no role in any of this.

[Virus Guy]

"David H. Lipman" wrote:

> I use 8.8.8.8 and ...

Could you possibly hand over more data to google than they're already
getting from you?