Page 1 of 16 12311 ... LastLast
Results 1 to 10 of 151

Thread: Feds shift DNSChanger cut-off deadline to July

  1. #1
    Virus Guy Guest

    Feds shift DNSChanger cut-off deadline to July

    Can anyone explain why the replacement DNS server being operated by the
    "white-hats" (ie - the feds) doesn't include a method to inject or
    display a message to users in their browser window telling them that
    their system is infected and/or has ****ed-up DNS settings and give them
    a link to follow for more information, yada yada, etc ?

    ================================================== ==============

    Feds shift DNSChanger cut-off deadline to July

    http://www.theregister.co.uk/2012/03..._net_extended/

    Posted in Malware, 9th March 2012 18:07 GMT

    The FBI's DNSChanger deadline extension has been approved by a US
    Federal Court, buying infected punters more time to clean up their
    systems.

    The move means that machines riddled with the Trojan will still be able
    to use temporary DNS servers to resolve internet addresses until 9 July.
    Before the order was granted, infected machines would not have been able
    to surf the web or handle email properly after 8 March, the previous
    expiry date of the safety net.

    Deployed initially by cyber-crooks, DNSChanger screwed with domain name
    system (DNS) settings to direct surfers to rogue servers - which
    hijacked web searches and redirected victims to dodgy websites as part
    of a long-running click-fraud and scareware distribution scam.

    The FBI stepped in and dismantled the botnet's command-and-control
    infrastructure back in November, as part of Operation GhostClick.

    To keep nobbled computers working properly, legitimate servers were set
    up by the Feds to replace the rogue DNS servers, under the authority of
    a temporary court order that has now been extended. But this effort did
    nothing by itself to clean up infected machines.

    As many as four million computers were infected at the peak of the
    botnet's activity.

    An updated study by security firm Internet Identity revealed that there
    has been a "dramatic decrease" in the number of Fortune 500 companies
    and US federal agencies with DNSChanger on their networks.

    IID found at least 94 of all Fortune 500 companies and three out of 55
    major government entities had at least one computer or router that was
    infected with DNSChanger as of 23 February, 2012. This is a sharp drop
    from the 250 out of 500 Fortune 500 companies found to be infected a few
    weeks prior to its latest survey providing evidence that the clean-up
    operation has finally clicked into gear.

    More information on how to clean up infected machines, and other
    resources, can be found on the DNS Changer Working Group website here

    http://dcwg.org/cleanup.html

  2. #2
    Dustin Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    Virus Guy <Virus@Guy.com> wrote in news:4F5B7BE8.CAB3362F@Guy.com:

    > Can anyone explain why the replacement DNS server being operated by
    > the "white-hats" (ie - the feds) doesn't include a method to inject
    > or display a message to users in their browser window telling them
    > that their system is infected and/or has ****ed-up DNS settings and
    > give them a link to follow for more information, yada yada, etc ?


    Too funny. Dude, google DNS server. A DNS server could redirect you to
    another website, but it can't uhh, inject or display a message into your
    browser on it's own. lol. It just translates domains to numbers for the
    computer, bro. hehehe...


    > As many as four million computers were infected at the peak of the
    > botnet's activity.


    Saddening from a security aspect point of view. DNSChanger wasn't a
    complicated critter, neat from what it did, but not actually complicated
    from code perspective.. Scary eh? The fact it got so many machines tells
    me people don't learn.

    This article makes it sound like dnschanger got the worlds dns servers
    and tricked everybody. That's not what happened. Some rogue servers were
    running, and dns changer changed local tcpip settings and router
    settings (it would login just as you would, if the router was still
    using default password) to point to those new dns servers.

    If your router got hit, bad security on you! Change the default login
    password. If your box tcpip settings got changed; You were using admin
    level when you shouldn't have been!

    > An updated study by security firm Internet Identity revealed that
    > there has been a "dramatic decrease" in the number of Fortune 500
    > companies and US federal agencies with DNSChanger on their networks.


    Jeeze. Not smalltime systems either.



    --
    Character is doing the right thing when nobody's looking. There are too
    many people who think that the only thing that's right is to get by,
    and the only thing that's wrong is to get caught. - J.C. Watts

  3. #3
    Virus Guy Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    Dustin wrote:

    > > Can anyone explain why the replacement DNS server being operated
    > > by the "white-hats" (ie - the feds) doesn't include a method to
    > > inject or display a message to users in their browser window
    > > telling them that their system is infected and/or has ****ed-up
    > > DNS settings and give them a link to follow for more information,
    > > yada yada, etc ?

    >
    > Too funny. Dude, google DNS server.
    > hehehe...


    The joke's on you, dumb ass.

    Google DNS hijacking for displaying advertisements.

    ISP's have been doing this for years.

  4. #4
    FromTheRafters Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    Virus Guy wrote:
    > Dustin wrote:
    >
    >>> Can anyone explain why the replacement DNS server being operated
    >>> by the "white-hats" (ie - the feds) doesn't include a method to
    >>> inject or display a message to users in their browser window
    >>> telling them that their system is infected and/or has ****ed-up
    >>> DNS settings and give them a link to follow for more information,
    >>> yada yada, etc ?

    >>
    >> Too funny. Dude, google DNS server.
    >> hehehe...

    >
    > The joke's on you, dumb ass.
    >
    > Google DNS hijacking for displaying advertisements.
    >
    > ISP's have been doing this for years.


    LOL.

  5. #5
    David H. Lipman Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    From: "Virus Guy" <Virus@Guy.com>

    > Dustin wrote:
    >
    >>> Can anyone explain why the replacement DNS server being operated
    >>> by the "white-hats" (ie - the feds) doesn't include a method to
    >>> inject or display a message to users in their browser window
    >>> telling them that their system is infected and/or has ****ed-up
    >>> DNS settings and give them a link to follow for more information,
    >>> yada yada, etc ?

    >>
    >> Too funny. Dude, google DNS server.
    >> hehehe...

    >
    > The joke's on you, dumb ass.
    >
    > Google DNS hijacking for displaying advertisements.
    >
    > ISP's have been doing this for years.


    I use 8.8.8.8 and don't see that.

    --
    Dave
    Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
    http://www.pctipp.ch/downloads/dl/35905.asp

  6. #6
    Virus Guy Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    "David H. Lipman" wrote:

    > > Google DNS hijacking for displaying advertisements.
    > >
    > > ISP's have been doing this for years.

    >
    > I use 8.8.8.8 and don't see that.


    I didn't say that google was doing that.

    I said to use google to do a search to see who is.

    One result:

    ==========
    http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs

    A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
    Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
    Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
    Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
    Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
    hijacking for their own purposes, such as displaying advertisements[17]
    or collecting statistics.
    ===========

    The hijack is usually used when a query is made for a non-existant
    domain and the DNS server returns a result that points to a server
    providing some sort of alternate content - usually containing
    advertising - instead of the user seeing a 404 or some other browser
    error.

    The file-sharing / file-downloading domains that were "hijacked" by the
    DOJ/ICE over the past few years are a good example of this (ie-
    tvshack.net and many others).

    The idea extends to DNS servers that operate in conjunction with content
    servers that can generate the web-pages being sought by the user in real
    time by accessing the real web page the user was browsing to, with the
    intent of replacing in-page advertising with other advertising, or
    adding a top or bottom banner ad.

    I'm surprised I have to inform this concept to the readers of this
    group.

    I was wondering why, in this case of operating a white-hat DNS server
    for the benefit of thousands or hundreds of thousands of trojanized
    PC's, that this technique of injecting a banner-ad wasn't being done.

    This would allow the users of those PC's to see a "friendly message" as
    a banner ad on any website they browse to, telling them that their PC or
    router has been hacked or trojanized - and how to remedy the situation.

    Those users may not believe that they are seeing a benevolent (as
    opposed to a malicious) message, but the effect nonetheless would be to
    tweak them into thinking that something might be wrong with their system
    and to seek out some trusted third-party remedy on their own.

  7. #7
    FromTheRafters Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    Virus Guy wrote:

    > The idea extends to DNS servers that operate in conjunction with content
    > servers that can generate the web-pages being sought by the user in real
    > time by accessing the real web page the user was browsing to, with the
    > intent of replacing in-page advertising with other advertising, or
    > adding a top or bottom banner ad.
    >
    > I'm surprised I have to inform this concept to the readers of this
    > group.


    So am I, you make it sound like it's a new thing.

    > I was wondering why, in this case of operating a white-hat DNS server
    > for the benefit of thousands or hundreds of thousands of trojanized
    > PC's, that this technique of injecting a banner-ad wasn't being done.


    I think it's because it isn't being done by the DNS server, but is being
    done by the ISP modifying the response *from* the DNS server.

    Perhaps the authorities would have to 'take over' the ISPs *not* the DNS
    servers in order to do as you suggest?

    [...]

  8. #8
    David H. Lipman Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    From: "Virus Guy" <Virus@Guy.com>

    > "David H. Lipman" wrote:
    >
    >>> Google DNS hijacking for displaying advertisements.
    >>>
    >>> ISP's have been doing this for years.

    >>
    >> I use 8.8.8.8 and don't see that.

    >
    > I didn't say that google was doing that.
    >
    > I said to use google to do a search to see who is.
    >
    > One result:
    >
    > ==========
    > http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs
    >
    > A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
    > Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
    > Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
    > Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
    > Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
    > hijacking for their own purposes, such as displaying advertisements[17]
    > or collecting statistics.
    > ===========
    >
    > The hijack is usually used when a query is made for a non-existant
    > domain and the DNS server returns a result that points to a server
    > providing some sort of alternate content - usually containing
    > advertising - instead of the user seeing a 404 or some other browser
    > error.
    >
    > The file-sharing / file-downloading domains that were "hijacked" by the
    > DOJ/ICE over the past few years are a good example of this (ie-
    > tvshack.net and many others).
    >
    > The idea extends to DNS servers that operate in conjunction with content
    > servers that can generate the web-pages being sought by the user in real
    > time by accessing the real web page the user was browsing to, with the
    > intent of replacing in-page advertising with other advertising, or
    > adding a top or bottom banner ad.
    >
    > I'm surprised I have to inform this concept to the readers of this
    > group.
    >
    > I was wondering why, in this case of operating a white-hat DNS server
    > for the benefit of thousands or hundreds of thousands of trojanized
    > PC's, that this technique of injecting a banner-ad wasn't being done.
    >
    > This would allow the users of those PC's to see a "friendly message" as
    > a banner ad on any website they browse to, telling them that their PC or
    > router has been hacked or trojanized - and how to remedy the situation.
    >
    > Those users may not believe that they are seeing a benevolent (as
    > opposed to a malicious) message, but the effect nonetheless would be to
    > tweak them into thinking that something might be wrong with their system
    > and to seek out some trusted third-party remedy on their own.


    OK.

    I think I know hat you are talking about now.

    When a website is shutdown, it is often "parked" and the parked page does
    indeed show advertisement content and this is done by the hosting company
    and doesn't have to do with a DNS server. The DNS server jolust points to
    the hosting companies parked page that is used to display the adverttising
    content.

    --
    Dave
    Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
    http://www.pctipp.ch/downloads/dl/35905.asp


  9. #9
    Virus Guy Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    FromTheRafters wrote:

    > > I'm surprised I have to inform this concept to the readers of this
    > > group.

    >
    > you make it sound like it's a new thing.


    How so?

    I was not implying that it is a new thing.

    > > I was wondering why, in this case of operating a white-hat DNS
    > > server for the benefit of thousands or hundreds of thousands of
    > > trojanized PC's, that this technique of injecting a banner-ad
    > > wasn't being done.

    >
    > I think it's because it isn't being done by the DNS server,


    When-ever or where-ever it's done, the DNS server has to be involved for
    the method to work. Whether or not the DNS server is also used as the
    surrogate web server used to inject the ad-content is just an academic
    question.

    If you want ad-content to be injected, and if you already are operating
    a "rogue" DNS server (either black or white hat) that is being used by
    some population of comprimized PC's, then you have the ability to inject
    the ads just by altering the software on your DNS server.

    > Perhaps the authorities would have to 'take over' the ISPs *not*
    > the DNS servers in order to do as you suggest?


    No.

    This issue pertains to a population of trojanized PC's or routers with
    altered DNS settings. The PC's or routers have their DNS settings
    pointing to a malicious server or servers (by way of a malicious IP
    address I would guess).

    Now someone somewhere (law enforcement) has granted a white-hat the
    ability to route that DNS traffic away from the malicious IP address and
    instead to his own server. I'm saying go the extra step and have that
    server generate a banner ad telling the fools with comprimized systems
    that they need to have their PC or router looked at and decontaminated.

    The ISP's of those comprimized systems play no role in any of this.

  10. #10
    Virus Guy Guest

    Re: Feds shift DNSChanger cut-off deadline to July

    "David H. Lipman" wrote:

    > I use 8.8.8.8 and ...


    Could you possibly hand over more data to google than they're already
    getting from you?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •