In article <4F5D09FC.6C94DF3D@Guy.com>, Virus@Guy.com says...
>
> Now, here's what I think they can or should do and probably should have
> done from the very beginning:
>
> When anyone's PC performs a DNS request, say for www.acme.com, it's
> supposed to get the IP address for the A-record for www.acme.com.
>
> So let's say that one of these infected PC's performs a DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
> DNS result do I return to the infected PC? I return 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
> can also operate a web (HTTP) server on port 80 at that IP address.
>
> So now the infected PC performs a http-get request to 1.2.3.4 and my
> web-server gets the request - and it will know that the page being
> requested is www.acme.com/what-ever/is/here.htm


I'm just a dummy with almost no understanding of these things, so I
hope you don't mind my asking some questions here. How do you ever
expect the above to work for anything other than a simple, two computer
network? DNS servers get hit with thousands of requests per second from
a lot of different computers. While one may be asking for the address to
www.acme.com, others will be asking for addresses to www.foxnews.com,
www.microsoft.com, www.disney.com, etc. If all of them are being
directed back to 1.2.3.4 for their web content as well, how is the web
server you are running on port 80 going to know what content (albeit
modified with your banner) to serve back to the appropriate http-get? As
far as I understood it, the DNS request and the http-get request are
two, completely separate interactions.


> So my server will go to the real www.acme.com/what-ever/is/here.htm and
> grab that page -> and serve it up to the infected PC thats performing
> the http-get. But before I serve it up, my server will modify the html
> code and add a banner message across the top of the page saying "Hey,
> your computer is infected with XYZ malware. Click here to learn more".
>
> So that can happen for any html content being requested by these
> infected PC's.


Yes, it is simple for a web server to modify the displayed results on
the fly. There are a variety of ways to inject external content into a
web page. The problem that I'm having with understanding your scenario
is just how a DNS server will "tag" it's response to a specific client
so that when that client then submits the http-get it will receive a web
page that contains the original content it was requesting (albeit with
an additional banner).


--
Whoever - but you can just call me who.
whoever@wherever.invalid