From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>>> Google DNS hijacking for displaying advertisements.
>>>
>>> ISP's have been doing this for years.
>>
>> I use 8.8.8.8 and don't see that.
>
> I didn't say that google was doing that.
>
> I said to use google to do a search to see who is.
>
> One result:
>
> ==========
> http://en.wikipedia.org/wiki/DNS_hij...lation_by_ISPs
>
> A number of consumer ISPs such as OpenDNS[2], Cablevision's Optimum
> Online,[3] Comcast,[4] Time Warner, Cox Communications, RCN,[5]
> Rogers,[6] Charter Communications, Verizon, Virgin Media, Frontier
> Communications, Bell Sympatico,[7] UPC,[8] T-Online,[9] Optus,[10]
> Mediacom,[11], ONO[12] and Bigpond (Telstra)[13][14][15][16] use DNS
> hijacking for their own purposes, such as displaying advertisements[17]
> or collecting statistics.
> ===========
>
> The hijack is usually used when a query is made for a non-existant
> domain and the DNS server returns a result that points to a server
> providing some sort of alternate content - usually containing
> advertising - instead of the user seeing a 404 or some other browser
> error.
>
> The file-sharing / file-downloading domains that were "hijacked" by the
> DOJ/ICE over the past few years are a good example of this (ie-
> tvshack.net and many others).
>
> The idea extends to DNS servers that operate in conjunction with content
> servers that can generate the web-pages being sought by the user in real
> time by accessing the real web page the user was browsing to, with the
> intent of replacing in-page advertising with other advertising, or
> adding a top or bottom banner ad.
>
> I'm surprised I have to inform this concept to the readers of this
> group.
>
> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.
>
> This would allow the users of those PC's to see a "friendly message" as
> a banner ad on any website they browse to, telling them that their PC or
> router has been hacked or trojanized - and how to remedy the situation.
>
> Those users may not believe that they are seeing a benevolent (as
> opposed to a malicious) message, but the effect nonetheless would be to
> tweak them into thinking that something might be wrong with their system
> and to seek out some trusted third-party remedy on their own.

OK.

I think I know hat you are talking about now.

When a website is shutdown, it is often "parked" and the parked page does
indeed show advertisement content and this is done by the hosting company
and doesn't have to do with a DNS server. The DNS server jolust points to
the hosting companies parked page that is used to display the adverttising
content.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp