Feds shift DNSChanger cut-off deadline to July

[Virus Guy]

Can anyone explain why the replacement DNS server being operated by the
"white-hats" (ie - the feds) doesn't include a method to inject or
display a message to users in their browser window telling them that
their system is infected and/or has ****ed-up DNS settings and give them
a link to follow for more information, yada yada, etc ?

================================================== ==============

Feds shift DNSChanger cut-off deadline to July

http://www.theregister.co.uk/2012/03..._net_extended/

Posted in Malware, 9th March 2012 18:07 GMT

The FBI's DNSChanger deadline extension has been approved by a US
Federal Court, buying infected punters more time to clean up their
systems.

The move means that machines riddled with the Trojan will still be able
to use temporary DNS servers to resolve internet addresses until 9 July.
Before the order was granted, infected machines would not have been able
to surf the web or handle email properly after 8 March, the previous
expiry date of the safety net.

Deployed initially by cyber-crooks, DNSChanger screwed with domain name
system (DNS) settings to direct surfers to rogue servers - which
hijacked web searches and redirected victims to dodgy websites as part
of a long-running click-fraud and scareware distribution scam.

The FBI stepped in and dismantled the botnet's command-and-control
infrastructure back in November, as part of Operation GhostClick.

To keep nobbled computers working properly, legitimate servers were set
up by the Feds to replace the rogue DNS servers, under the authority of
a temporary court order that has now been extended. But this effort did
nothing by itself to clean up infected machines.

As many as four million computers were infected at the peak of the
botnet's activity.

An updated study by security firm Internet Identity revealed that there
has been a "dramatic decrease" in the number of Fortune 500 companies
and US federal agencies with DNSChanger on their networks.

IID found at least 94 of all Fortune 500 companies and three out of 55
major government entities had at least one computer or router that was
infected with DNSChanger as of 23 February, 2012. This is a sharp drop
from the 250 out of 500 Fortune 500 companies found to be infected a few
weeks prior to its latest survey – providing evidence that the clean-up
operation has finally clicked into gear.

More information on how to clean up infected machines, and other
resources, can be found on the DNS Changer Working Group website here

http://dcwg.org/cleanup.html

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5B7BE8.CAB3362F@Guy.com:

> Can anyone explain why the replacement DNS server being operated by
> the "white-hats" (ie - the feds) doesn't include a method to inject
> or display a message to users in their browser window telling them
> that their system is infected and/or has ****ed-up DNS settings and
> give them a link to follow for more information, yada yada, etc ?

Too funny. Dude, google DNS server. A DNS server could redirect you to
another website, but it can't uhh, inject or display a message into your
browser on it's own. lol. It just translates domains to numbers for the
computer, bro. hehehe...


> As many as four million computers were infected at the peak of the
> botnet's activity.

Saddening from a security aspect point of view. DNSChanger wasn't a
complicated critter, neat from what it did, but not actually complicated
from code perspective.. Scary eh? The fact it got so many machines tells
me people don't learn.

This article makes it sound like dnschanger got the worlds dns servers
and tricked everybody. That's not what happened. Some rogue servers were
running, and dns changer changed local tcpip settings and router
settings (it would login just as you would, if the router was still
using default password) to point to those new dns servers.

If your router got hit, bad security on you! Change the default login
password. If your box tcpip settings got changed; You were using admin
level when you shouldn't have been!

> An updated study by security firm Internet Identity revealed that
> there has been a "dramatic decrease" in the number of Fortune 500
> companies and US federal agencies with DNSChanger on their networks.

Jeeze. Not smalltime systems either.



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts

[Virus Guy]

Dustin wrote:

> > Can anyone explain why the replacement DNS server being operated
> > by the "white-hats" (ie - the feds) doesn't include a method to
> > inject or display a message to users in their browser window
> > telling them that their system is infected and/or has ****ed-up
> > DNS settings and give them a link to follow for more information,
> > yada yada, etc ?
>
> Too funny. Dude, google DNS server.
> hehehe...

The joke's on you, dumb ass.

Google DNS hijacking for displaying advertisements.

ISP's have been doing this for years.

[FromTheRafters]

Virus Guy wrote:
> Dustin wrote:
>
>>> Can anyone explain why the replacement DNS server being operated
>>> by the "white-hats" (ie - the feds) doesn't include a method to
>>> inject or display a message to users in their browser window
>>> telling them that their system is infected and/or has ****ed-up
>>> DNS settings and give them a link to follow for more information,
>>> yada yada, etc ?
>>
>> Too funny. Dude, google DNS server.
>> hehehe...
>
> The joke's on you, dumb ass.
>
> Google DNS hijacking for displaying advertisements.
>
> ISP's have been doing this for years.

LOL.

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> Dustin wrote:
>
>>> Can anyone explain why the replacement DNS server being operated
>>> by the "white-hats" (ie - the feds) doesn't include a method to
>>> inject or display a message to users in their browser window
>>> telling them that their system is infected and/or has ****ed-up
>>> DNS settings and give them a link to follow for more information,
>>> yada yada, etc ?
>>
>> Too funny. Dude, google DNS server.
>> hehehe...
>
> The joke's on you, dumb ass.
>
> Google DNS hijacking for displaying advertisements.
>
> ISP's have been doing this for years.

I use 8.8.8.8 and don't see that.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> > Google DNS hijacking for displaying advertisements.
> >
> > ISP's have been doing this for years.
>
> I use 8.8.8.8 and don't see that.

I didn't say that google was doing that.

I said to use google to do a search to see who is.

One result:

==========
http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs

A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
hijacking for their own purposes, such as displaying advertisements[17]
or collecting statistics.
===========

The hijack is usually used when a query is made for a non-existant
domain and the DNS server returns a result that points to a server
providing some sort of alternate content - usually containing
advertising - instead of the user seeing a 404 or some other browser
error.

The file-sharing / file-downloading domains that were "hijacked" by the
DOJ/ICE over the past few years are a good example of this (ie-
tvshack.net and many others).

The idea extends to DNS servers that operate in conjunction with content
servers that can generate the web-pages being sought by the user in real
time by accessing the real web page the user was browsing to, with the
intent of replacing in-page advertising with other advertising, or
adding a top or bottom banner ad.

I'm surprised I have to inform this concept to the readers of this
group.

I was wondering why, in this case of operating a white-hat DNS server
for the benefit of thousands or hundreds of thousands of trojanized
PC's, that this technique of injecting a banner-ad wasn't being done.

This would allow the users of those PC's to see a "friendly message" as
a banner ad on any website they browse to, telling them that their PC or
router has been hacked or trojanized - and how to remedy the situation.

Those users may not believe that they are seeing a benevolent (as
opposed to a malicious) message, but the effect nonetheless would be to
tweak them into thinking that something might be wrong with their system
and to seek out some trusted third-party remedy on their own.

[FromTheRafters]

Virus Guy wrote:

> The idea extends to DNS servers that operate in conjunction with content
> servers that can generate the web-pages being sought by the user in real
> time by accessing the real web page the user was browsing to, with the
> intent of replacing in-page advertising with other advertising, or
> adding a top or bottom banner ad.
>
> I'm surprised I have to inform this concept to the readers of this
> group.

So am I, you make it sound like it's a new thing.

> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.

I think it's because it isn't being done by the DNS server, but is being
done by the ISP modifying the response *from* the DNS server.

Perhaps the authorities would have to 'take over' the ISPs *not* the DNS
servers in order to do as you suggest?

[...]

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>>> Google DNS hijacking for displaying advertisements.
>>>
>>> ISP's have been doing this for years.
>>
>> I use 8.8.8.8 and don't see that.
>
> I didn't say that google was doing that.
>
> I said to use google to do a search to see who is.
>
> One result:
>
> ==========
> http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs
>
> A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
> Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
> Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
> Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
> Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
> hijacking for their own purposes, such as displaying advertisements[17]
> or collecting statistics.
> ===========
>
> The hijack is usually used when a query is made for a non-existant
> domain and the DNS server returns a result that points to a server
> providing some sort of alternate content - usually containing
> advertising - instead of the user seeing a 404 or some other browser
> error.
>
> The file-sharing / file-downloading domains that were "hijacked" by the
> DOJ/ICE over the past few years are a good example of this (ie-
> tvshack.net and many others).
>
> The idea extends to DNS servers that operate in conjunction with content
> servers that can generate the web-pages being sought by the user in real
> time by accessing the real web page the user was browsing to, with the
> intent of replacing in-page advertising with other advertising, or
> adding a top or bottom banner ad.
>
> I'm surprised I have to inform this concept to the readers of this
> group.
>
> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.
>
> This would allow the users of those PC's to see a "friendly message" as
> a banner ad on any website they browse to, telling them that their PC or
> router has been hacked or trojanized - and how to remedy the situation.
>
> Those users may not believe that they are seeing a benevolent (as
> opposed to a malicious) message, but the effect nonetheless would be to
> tweak them into thinking that something might be wrong with their system
> and to seek out some trusted third-party remedy on their own.

OK.

I think I know hat you are talking about now.

When a website is shutdown, it is often "parked" and the parked page does
indeed show advertisement content and this is done by the hosting company
and doesn't have to do with a DNS server. The DNS server jolust points to
the hosting companies parked page that is used to display the adverttising
content.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5CC75A.A1D7220A@Guy.com:

> I didn't say that google was doing that.

LOL!!!!

> I'm surprised I have to inform this concept to the readers of this
> group.

Trust me, you aren't informing us. You're entertaining us!

> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.

How does one inject a banner ad on a DNS server?

> This would allow the users of those PC's to see a "friendly message"
> as a banner ad on any website they browse to, telling them that their
> PC or router has been hacked or trojanized - and how to remedy the
> situation.

I don't think my clients will be happy getting something other than an
IP address when they query a dns server. Ya see, my email client
wouldn't know WTF to do if it (the ehh, DNS server) sent html back...




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts

[Virus Guy]

"David H. Lipman" wrote:

> I use 8.8.8.8 and ...

Could you possibly hand over more data to google than they're already
getting from you?