Feds shift DNSChanger cut-off deadline to July

[FromTheRafters]

Virus Guy wrote:
> FromTheRafters wrote:
>
>>> I'm surprised I have to inform this concept to the readers of this
>>> group.
>>
>> you make it sound like it's a new thing.
>
> How so?
>
> I was not implying that it is a new thing.

Yes, you only implied that we didn't already know. This has been
happening for quite a while.

>>> I was wondering why, in this case of operating a white-hat DNS
>>> server for the benefit of thousands or hundreds of thousands of
>>> trojanized PC's, that this technique of injecting a banner-ad
>>> wasn't being done.

Because in the scenario where it was being done - the ISP is involved in
hijacking the DNS response and supplying their own special page.

>> I think it's because it isn't being done by the DNS server,
>
> When-ever or where-ever it's done, the DNS server has to be involved for
> the method to work.

How so? That is, beyond the fact that a response has to exist for it to
be hijacked.

> Whether or not the DNS server is also used as the
> surrogate web server used to inject the ad-content is just an academic
> question.

The DNS server either supplies an address or it doesn't.

> If you want ad-content to be injected, and if you already are operating
> a "rogue" DNS server (either black or white hat) that is being used by
> some population of comprimized PC's, then you have the ability to inject
> the ads just by altering the software on your DNS server.

How does one do this?

>> Perhaps the authorities would have to 'take over' the ISPs *not*
>> the DNS servers in order to do as you suggest?
>
> No.
>
> This issue pertains to a population of trojanized PC's or routers with
> altered DNS settings. The PC's or routers have their DNS settings
> pointing to a malicious server or servers (by way of a malicious IP
> address I would guess).

Yes, and these can return whatever results they want to. What will the
client software do when they expect a numerical address or an error
response and they get some HTML instead?

> Now someone somewhere (law enforcement) has granted a white-hat the
> ability to route that DNS traffic away from the malicious IP address and
> instead to his own server. I'm saying go the extra step and have that
> server generate a banner ad telling the fools with comprimized systems
> that they need to have their PC or router looked at and decontaminated.

The DNS server is supposed to deliver HTML?

> The ISP's of those comprimized systems play no role in any of this.

Indeed, but the article you linked to did. They mucked with the response
from the DNS - not the DNS itself.

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>> I use 8.8.8.8 and ...
>
> Could you possibly hand over more data to google than they're already
> getting from you?

They don't get "data". All thery get is my DND lookups. This is also
*******ized by the fact I use WGET emulating various User-Agents accessing
malicious sites.

I have no Google accounts and I don't even sip the Google k00l-aide. I do
take advantage of what they host on the web w/o them knowing it is "me"
doing it.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5B9CB7.44B6CEEB@Guy.com:

> Dustin wrote:
>
>> > Can anyone explain why the replacement DNS server being operated
>> > by the "white-hats" (ie - the feds) doesn't include a method to
>> > inject or display a message to users in their browser window
>> > telling them that their system is infected and/or has ****ed-up
>> > DNS settings and give them a link to follow for more information,
>> > yada yada, etc ?
>>
>> Too funny. Dude, google DNS server.
>> hehehe...
>
> The joke's on you, dumb ass.

dumbass? How unoriginal. Doesn't apply here. Really, google dns server.

> Google DNS hijacking for displaying advertisements.

I don't need too. I know what a DNS server is.

> ISP's have been doing this for years.

You don't have to be an ISP to run a DNS server, "dumb ass".




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5CC75A.A1D7220A@Guy.com:

> I didn't say that google was doing that.

LOL!!!!

> I'm surprised I have to inform this concept to the readers of this
> group.

Trust me, you aren't informing us. You're entertaining us!

> I was wondering why, in this case of operating a white-hat DNS server
> for the benefit of thousands or hundreds of thousands of trojanized
> PC's, that this technique of injecting a banner-ad wasn't being done.

How does one inject a banner ad on a DNS server?

> This would allow the users of those PC's to see a "friendly message"
> as a banner ad on any website they browse to, telling them that their
> PC or router has been hacked or trojanized - and how to remedy the
> situation.

I don't think my clients will be happy getting something other than an
IP address when they query a dns server. Ya see, my email client
wouldn't know WTF to do if it (the ehh, DNS server) sent html back...




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts

[Dustin]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:sNSdnf0BOeHuR8HSnZ2dnUVZ_vOdnZ2d@giganews.com :

> From: "Virus Guy" <Virus@Guy.com>
>
>> "David H. Lipman" wrote:
>>
>>> I use 8.8.8.8 and ...
>>
>> Could you possibly hand over more data to google than they're
>> already getting from you?
>
> They don't get "data". All thery get is my DND lookups. This is
> also *******ized by the fact I use WGET emulating various User-Agents
> accessing malicious sites.

You lost him David. He has dns server confused with web server.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[David H. Lipman]

From: "Dustin" <bughunter.dustin@gmail.com>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:sNSdnf0BOeHuR8HSnZ2dnUVZ_vOdnZ2d@giganews.com :
>
>> From: "Virus Guy" <Virus@Guy.com>
>>
>>> "David H. Lipman" wrote:
>>>
>>>> I use 8.8.8.8 and ...
>>>
>>> Could you possibly hand over more data to google than they're
>>> already getting from you?
>>
>> They don't get "data". All thery get is my DND lookups. This is
>> also *******ized by the fact I use WGET emulating various User-Agents
>> accessing malicious sites.
>
> You lost him David. He has dns server confused with web server.
>

LOL ;-)


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

FromTheRafters wrote:
> They mucked with the response from the DNS - not the DNS itself.

Were you around at the time Robear Dyer MVP made this post, FTR?

http://groups.google.com/group/micro...274a3269?hl=en

The links still work - but now go to an advertisement!

Here's a rather out-of-date list of DTS_L members, but the best I can
find. http://www.kellys-korner-xp.com/xp_dtsl_web_sites.htm

Do you know if this 'special' group of Microsoft MVP's is still in
existence? This post refers, albeit from some years ago.
http://groups.google.com/group/micro...6a46cb99?hl=en

If they *do* exist - what do they actually *do*?!!

--
Dave - "It is much better to be hated for what you are, than to be loved
for what you definitely are not." "Do unto others as you would have them
do unto you."

[Virus Guy]

"David H. Lipman" wrote:

> > You lost him David. He has dns server confused with web
> > server.
>
> LOL ;-)

Dave - are you clueless too?

Ok, I'll explain it for you idiots.

A bunch of trojanized or botted PC's have their dns set to 1.2.3.4. The
server located at 1.2.3.4 is malicious.

The feds authorize me (a white-hat) to operate a replacement DNS server
at 1.2.3.4 while the C&C network for the botnet is taken down.

So my server operates as a normal DNS server for these infected PC's,
except that maybe I have a list of malicious domains that I'm not
supposed to resolve for their benefit.

This arrangement is supposed to last for maybe 6 months, because the
thinking is that the owners of these infected PC's will eventually
discover and clean them of the this malware and it shouldn't take more
than 6 months to do it.

But guess what - after 6 months there's still a significant number of
infected PC's. If I take down my DNS server, these machines will be
left high and dry without a functioning DNS service.

Now maybe that's not such a bad end result for the fools that own these
infected PC's (some of them belong to fortune-500 companies, and even
several federal departments of the US gov't).

But the feds want me to keep operating my server, so they extend this
arrangement for another few months.

Now, here's what I think they can or should do and probably should have
done from the very beginning:

When anyone's PC performs a DNS request, say for www.acme.com, it's
supposed to get the IP address for the A-record for www.acme.com.

So let's say that one of these infected PC's performs a DNS query for
www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
DNS result do I return to the infected PC? I return 1.2.3.4.

Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
can also operate a web (HTTP) server on port 80 at that IP address.

So now the infected PC performs a http-get request to 1.2.3.4 and my
web-server gets the request - and it will know that the page being
requested is www.acme.com/what-ever/is/here.htm

So my server will go to the real www.acme.com/what-ever/is/here.htm and
grab that page -> and serve it up to the infected PC thats performing
the http-get. But before I serve it up, my server will modify the html
code and add a banner message across the top of the page saying "Hey,
your computer is infected with XYZ malware. Click here to learn more".

So that can happen for any html content being requested by these
infected PC's.

Now do you boobs understand?

[Aardvark]

On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:

> FromTheRafters wrote:
>> They mucked with the response from the DNS - not the DNS itself.
>
> Were you around at the time Robear Dyer <SNIP>

> <SNIP NON SEQUITUR OFF-TOPIC ****>

Stay on-topic, you sto0pid ****.

--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F5D09FC.6C94DF3D@Guy.com:

> "David H. Lipman" wrote:
>
>> > You lost him David. He has dns server confused with web
>> > server.
>>
>> LOL ;-)
>
> Dave - are you clueless too?
>
> Ok, I'll explain it for you idiots.

This should be good.

> A bunch of trojanized or botted PC's have their dns set to 1.2.3.4.
> The server located at 1.2.3.4 is malicious.
>
> The feds authorize me (a white-hat) to operate a replacement DNS
> server at 1.2.3.4 while the C&C network for the botnet is taken down.

With ya so far.

> So my server operates as a normal DNS server for these infected PC's,
> except that maybe I have a list of malicious domains that I'm not
> supposed to resolve for their benefit.

Yep.

> This arrangement is supposed to last for maybe 6 months, because the
> thinking is that the owners of these infected PC's will eventually
> discover and clean them of the this malware and it shouldn't take
> more than 6 months to do it.

Poor thinking then eh? Most users are.. well, lets face it, not
interested or lazy.

> But guess what - after 6 months there's still a significant number of
> infected PC's. If I take down my DNS server, these machines will be
> left high and dry without a functioning DNS service.

Correct. Unless they configure the machine to use another one.

> Now maybe that's not such a bad end result for the fools that own
> these infected PC's (some of them belong to fortune-500 companies,
> and even several federal departments of the US gov't).

Saddening imho. Very bad security policies...

> But the feds want me to keep operating my server, so they extend this
> arrangement for another few months.

Might be extended again and again...

> Now, here's what I think they can or should do and probably should
> have done from the very beginning:
>
> When anyone's PC performs a DNS request, say for www.acme.com, it's
> supposed to get the IP address for the A-record for www.acme.com.

Googled huh? Good boy. Now mebbe some intelligent conversation will
follow.

> So let's say that one of these infected PC's performs a DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the query.
> What DNS result do I return to the infected PC? I return 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but
> I can also operate a web (HTTP) server on port 80 at that IP address.

You could.. Sure. Why do that tho? You'd make yourself an easier target
to disable.

> So now the infected PC performs a http-get request to 1.2.3.4 and my
> web-server gets the request - and it will know that the page being
> requested is www.acme.com/what-ever/is/here.htm

Yep.

> So my server will go to the real www.acme.com/what-ever/is/here.htm
> and grab that page -> and serve it up to the infected PC thats
> performing the http-get. But before I serve it up, my server will
> modify the html code and add a banner message across the top of the
> page saying "Hey, your computer is infected with XYZ malware. Click
> here to learn more".

Strangely enough, free webspace providers would do this. It was banner
advertising, they'd insert it into your html. Still, nothing new going
on here.

> So that can happen for any html content being requested by these
> infected PC's.

Absolutely.

> Now do you boobs understand?

LOL!

Not only do we understand, we well understood before you announced this
terrible discovery! [g]




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by,
and the only thing that's wrong is to get caught. - J.C. Watts