Feds shift DNSChanger cut-off deadline to July

[Dustin]

Aardvark <aardvark@aardvark.uk.tc> wrote in news:jjj30f$kht$1@dont-
email.me:

> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>
>> FromTheRafters wrote:
>>> They mucked with the response from the DNS - not the DNS itself.
>>
>> Were you around at the time Robear Dyer <SNIP>
>
>> <SNIP NON SEQUITUR OFF-TOPIC ****>
>
> Stay on-topic, you sto0pid ****.
>

It's too complex for him. Virus_Guy has a better understanding.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Peter Foldes]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:I_Sdna-Ca4sEY8HSnZ2dnUVZ8sqdnZ2d@bt.com...

> Do you know if this 'special' group of Microsoft MVP's is still in existence? This
> post refers, albeit from some years ago.
> http://groups.google.com/group/micro...6a46cb99?hl=en
>
> If they *do* exist - what do they actually *do*?!!




Why do you want to and on purpose change the subject at hand. Stay on topic.

BTW: Frank has passed away in 2008 and the MVP Private group is still very much in
existence and active. They all love you so much that they decided not to respond to
you in any newsgroups or on any server related sites. The agreement was 100% in
agreement with everyone. Robear sends his love as does Kelly. Now go and jump into a
lake which is infested with gators or piranhas for a first hand look how they
survive by not starving.

BTW: I love you too

JS

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>>> You lost him David. He has dns server confused with web
>>> server.
>>
>> LOL ;-)
>
> Dave - are you clueless too?
>
> Ok, I'll explain it for you idiots.
>
> A bunch of trojanized or botted PC's have their dns set to 1.2.3.4. The
> server located at 1.2.3.4 is malicious.
>
> The feds authorize me (a white-hat) to operate a replacement DNS
> server
> at 1.2.3.4 while the C&C network for the botnet is taken down.
>
>
> So my server operates as a normal DNS server for these infected PC's,
>
> except that maybe I have a list of malicious domains that I'm not
>
> supposed to resolve for their benefit.
>
> This arrangement is supposed to
> last for maybe 6 months, because the
> thinking is that the owners of these
> infected PC's will eventually
> discover and clean them of the this malware
> and it shouldn't take more
> than 6 months to do it.
>
> But guess what -
> after 6 months there's still a significant number of
> infected PC's. If I
> take down my DNS server, these machines will be
> left high and dry without
> a functioning DNS service.
>
> Now maybe that's not such a bad end result
> for the fools that own these
> infected PC's (some of them belong to
> fortune-500 companies, and even
> several federal departments of the US
> gov't).
>
> But the feds want me to keep operating my server, so they
> extend this
> arrangement for another few months.
>
> Now, here's what I
> think they can or should do and probably should have
> done from the very
> beginning:
>
> When anyone's PC performs a DNS request, say for
> www.acme.com, it's
> supposed to get the IP address for the A-record for
> www.acme.com.
>
> So let's say that one of these infected PC's performs a
> DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the
> query. What
> DNS result do I return to the infected PC? I return
> 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at
> 1.2.3.4, but I
> can also operate a web (HTTP) server on port 80 at that IP
> address.
>
> So now the infected PC performs a http-get request to 1.2.3.4
> and my
> web-server gets the request - and it will know that the page
> being
> requested is www.acme.com/what-ever/is/here.htm
>
> So my server
> will go to the real www.acme.com/what-ever/is/here.htm and
> grab that page
> -> and serve it up to the infected PC thats performing
> the http-get. But
> before I serve it up, my server will modify the html
> code and add a
> banner message across the top of the page saying "Hey,
> your computer is
> infected with XYZ malware. Click here to learn more".
>
> So that can
> happen for any html content being requested by these
> infected PC's.
>
>
> Now do you boobs understand?

> infected PC's.
>
> Now do you boobs understand?

I read what you wrote and it gives me a headache.

The same people behind the DNSChanger Trojan were behind ESTDomains also had
setup some malicious DNS Servers. Their DNSChanger software changed the DNS
Tables of infected computers and some easily compromise SOHO Routers to
point their altered DNS Clients to a fixed set of servers.

The malicious servers:
85.255.112.0 ~ 85.255.127.255
67.210.0.0 ~ 67.210.15.255
93.188.160.0 ~ 93.188.167.255
77.67.83.0 ~ 77.67.83.255
213.109.64.0 ~ 213.109.79.255
64.28.176.0 ~ 64.28.191.255

They have now been taken over and are no longer malicious. The ONLY problem
is when they are shutdown then those computers and SOHO Routers which have
not be altered to ISP, hosting company, root or public service DNS systems
will stop have name to IP resolution.

There is NO DNS Server Daemon being setup on infected computers. The
Malicious Actors had a fixed set of DNS Servers and that is it.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "Dustin" <bughunter.dustin@gmail.com>

> Aardvark <aardvark@aardvark.uk.tc> wrote in news:jjj30f$kht$1@dont-
> email.me:
>
>> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>>
>>> FromTheRafters wrote:
>>>> They mucked with the response from the DNS - not the DNS itself.
>>>
>>> Were you around at the time Robear Dyer <SNIP>
>>
>>> <SNIP NON SEQUITUR OFF-TOPIC ****>
>>
>> Stay on-topic, you sto0pid ****.
>>
> It's too complex for him. Virus_Guy has a better understanding.
>

Yes, but a half a bubble off plumb.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Aardvark]

On Sun, 11 Mar 2012 21:11:24 +0000, Dustin wrote:

> Aardvark <aardvark@aardvark.uk.tc> wrote in news:jjj30f$kht$1@dont-
> email.me:
>
>> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>>
>>> FromTheRafters wrote:
>>>> They mucked with the response from the DNS - not the DNS itself.
>>>
>>> Were you around at the time Robear Dyer <SNIP>
>>
>>> <SNIP NON SEQUITUR OFF-TOPIC ****>
>>
>> Stay on-topic, you sto0pid ****.
>>
>>
> It's too complex for him. Virus_Guy has a better understanding.

LOL. IAWTP.

The thread is interesting and all he wants to do is further his own
ridiculous agenda by changing its theme.



--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[David H. Lipman]

From: "Aardvark" <aardvark@aardvark.uk.tc>

> On Sun, 11 Mar 2012 21:11:24 +0000, Dustin wrote:
>
>> Aardvark <aardvark@aardvark.uk.tc> wrote in news:jjj30f$kht$1@dont-
>> email.me:
>>
>>> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>>>
>>>> FromTheRafters wrote:
>>>>> They mucked with the response from the DNS - not the DNS itself.
>>>>
>>>> Were you around at the time Robear Dyer <SNIP>
>>>
>>>> <SNIP NON SEQUITUR OFF-TOPIC ****>
>>>
>>> Stay on-topic, you sto0pid ****.
>>>
>> It's too complex for him. Virus_Guy has a better understanding.
>
> LOL. IAWTP.
>
> The thread is interesting and all he wants to do is further his own
> ridiculous agenda by changing its theme.
>

Its actually sad to see someone publically piss all over themselves. Even
worse by the fact that they are unaware that they are doing it in the first
place.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Aardvark]

On Sun, 11 Mar 2012 17:52:36 -0400, David H. Lipman wrote:

> From: "Aardvark" <aardvark@aardvark.uk.tc>
>
>> On Sun, 11 Mar 2012 21:11:24 +0000, Dustin wrote:
>>
>>> Aardvark <aardvark@aardvark.uk.tc> wrote in news:jjj30f$kht$1@dont-
>>> email.me:
>>>
>>>> On Sun, 11 Mar 2012 19:35:52 +0000, ~BD~ wrote:
>>>>
>>>>> FromTheRafters wrote:
>>>>>> They mucked with the response from the DNS - not the DNS itself.
>>>>>
>>>>> Were you around at the time Robear Dyer <SNIP>
>>>>
>>>>> <SNIP NON SEQUITUR OFF-TOPIC ****>
>>>>
>>>> Stay on-topic, you sto0pid ****.
>>>>
>>> It's too complex for him. Virus_Guy has a better understanding.
>>
>> LOL. IAWTP.
>>
>> The thread is interesting and all he wants to do is further his own
>> ridiculous agenda by changing its theme.
>>
>>
> Its actually sad to see someone publically piss all over themselves.
> Even worse by the fact that they are unaware that they are doing it in
> the first place.

Yeah. Despite the fact that so many have pointed out such self-pissing so
many times.



--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Whoever]

In article <4F5D09FC.6C94DF3D@Guy.com>, Virus@Guy.com says...
>
> Now, here's what I think they can or should do and probably should have
> done from the very beginning:
>
> When anyone's PC performs a DNS request, say for www.acme.com, it's
> supposed to get the IP address for the A-record for www.acme.com.
>
> So let's say that one of these infected PC's performs a DNS query for
> www.acme.com and my DNS server located at 1.2.3.4 gets the query. What
> DNS result do I return to the infected PC? I return 1.2.3.4.
>
> Remember, 1.2.3.4 is me. I'm operating a DNS server at 1.2.3.4, but I
> can also operate a web (HTTP) server on port 80 at that IP address.
>
> So now the infected PC performs a http-get request to 1.2.3.4 and my
> web-server gets the request - and it will know that the page being
> requested is www.acme.com/what-ever/is/here.htm


I'm just a dummy with almost no understanding of these things, so I
hope you don't mind my asking some questions here. How do you ever
expect the above to work for anything other than a simple, two computer
network? DNS servers get hit with thousands of requests per second from
a lot of different computers. While one may be asking for the address to
www.acme.com, others will be asking for addresses to www.foxnews.com,
www.microsoft.com, www.disney.com, etc. If all of them are being
directed back to 1.2.3.4 for their web content as well, how is the web
server you are running on port 80 going to know what content (albeit
modified with your banner) to serve back to the appropriate http-get? As
far as I understood it, the DNS request and the http-get request are
two, completely separate interactions.


> So my server will go to the real www.acme.com/what-ever/is/here.htm and
> grab that page -> and serve it up to the infected PC thats performing
> the http-get. But before I serve it up, my server will modify the html
> code and add a banner message across the top of the page saying "Hey,
> your computer is infected with XYZ malware. Click here to learn more".
>
> So that can happen for any html content being requested by these
> infected PC's.


Yes, it is simple for a web server to modify the displayed results on
the fly. There are a variety of ways to inject external content into a
web page. The problem that I'm having with understanding your scenario
is just how a DNS server will "tag" it's response to a specific client
so that when that client then submits the http-get it will receive a web
page that contains the original content it was requesting (albeit with
an additional banner).


--
Whoever - but you can just call me who.
whoever@wherever.invalid

[FromTheRafters]

~BD~ wrote:
> FromTheRafters wrote:
>> They mucked with the response from the DNS - not the DNS itself.
>
> Were you around at the time Robear Dyer MVP made this post, FTR?
>
> http://groups.google.com/group/micro...274a3269?hl=en

Probably, as I'm no spring chicken.

> The links still work - but now go to an advertisement!
>
> Here's a rather out-of-date list of DTS_L members, but the best I can
> find. http://www.kellys-korner-xp.com/xp_dtsl_web_sites.htm
>
> Do you know if this 'special' group of Microsoft MVP's is still in
> existence? This post refers, albeit from some years ago.
> http://groups.google.com/group/micro...6a46cb99?hl=en
>
> If they *do* exist - what do they actually *do*?!!

As I recall, it was a website temporarily put up by members of a mailing
list. They helped people with computer related problems.

Here's another web relic for you to wonder about as you wander about.

http://members.shaw.ca/dts-l/default.htm

The web needs a garbage collector, eh?

[FromTheRafters]

Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>> You lost him David. He has dns server confused with web
>>> server.
>>
>> LOL ;-)
>
> Dave - are you clueless too?
>
> Ok, I'll explain it for you idiots.

LOL

[...]