Feds shift DNSChanger cut-off deadline to July

[Whoever]

In article <4F5EA586.CCCF6F71@Guy.com>, Virus@Guy.com says...
>
> Whoever wrote:
>
> > > So that can happen for any html content being requested by these
> > > infected PC's.
> >
> > Yes, it is simple for a web server to modify the displayed results
> > on the fly.
>
> A concept that went right over the heads of a lot of people here. Or at
> least the reason why you'd want to do that in this situation.
>
> > The problem that I'm having with understanding your scenario
> > is just how a DNS server will "tag" it's response to a specific
> > client
>
> Because the only clients hitting this DNS server are the ones infected
> with some specific malware. The PC's hitting this DNS server are part
> of a botnet that the fed's took down last year. They are the only PC's
> using a special DNS server that was set up to replace a malicious
> server.
>
> And because they're using this special server, the authorities and
> white-hats know the rate at which these computers are getting cleaned up
> because they monitor the traffic hitting this server. As machines get
> cleaned up, they stop using this special DNS server and they use
> what-ever is appropriate for them (their isp's server, etc).


I understood all of that perfectly well but it has nothing to do with
my question. Perhaps I didn't state it well. I'll try to reword it to
make it clearer.

As I understand it, you are describing two entirely separate
transactions using the internet. The first one is a request to a DNS
server to resolve a URL to an IP address. The IP address of the DNS
server itself is already known and set in the compromised computer. In
your example it was changed to 1.2.3.4 by the DNSChanger to form the
botnet. So the compromised computer sends a request to 1.2.3.4
(assumedly on port 53) to resolve the URL www.acme.com to an IP address.
The DNS server then returns 1.2.3.4 (in your example) as the IP address
for www.acme.com to the compromised computer. The compromised computer
then opens a completely separate request to 1.2.3.4 (assumedly on port
80) looking for the web server.

Here is where I'm having trouble understanding what you are suggesting.
How does that web server _know_ that this particular request is
expecting to receive the web page actually hosted at www.acme.com? You
seem to be suggesting that each response from the DNS server is somehow
"tagged" to identify the desired URL (www.acme.com) back to the
compromised computer. As far as I know, a DNS server cannot do that.
Even if you hacked the server to append such "tag data" onto the
response (i.e. "1.2.3.4/?host=www.acme.com") the compromised computer
wouldn't know what to do with the "extra" data and would not be able to
use it. Perhaps I'm wrong though. I don't know that much about the
internal workings of DNS clients and it's been a long time since I
looked over the RFC's for DNS resolution.

Even if you could do such a thing and get it to somehow work for web
pages, I have serious reservations about how other apps would react to
that solution. For instance, when you're using DNS to resolve for things
like time servers, IM servers, email servers, NNTP servers, update
servers of all sorts, etc. Do you just treat them all as if they were
web page address requests?



--
Whoever - but you can just call me who.
whoever@wherever.invalid

[~BD~]

Aardvark wrote:
> On Tue, 13 Mar 2012 16:33:14 +0100, Bear wrote:
[....]

>> This thread would have had value for newcomers until your ilk spoilt it.
>
> I didn't spoil it. I was following it with interest and made *no* comment
> until some other ****er tried to spoil it.
>
> BD certainly *isn't* my 'ilk', and I consider it insulting that you
> lumped me together with him in any context.
>
>> Your manner is putting people off.
>
> The fact that I commented on someone trying to spoil the thread?
>
> **** off.
>
>
>

I think you should apologise to 'Bear'.

You really are an arrogant Bar Steward.

Tell him, too, that you came and visited me on my narrowboat with your
son and daughter - *and* drank my beer!

You speak with a forked tongue, Aardvark. Folk are beginning to see your
*real* persona - you're making really big mistakes. <shrug>

--
Dave - "It is much better to be hated for what you are, than to be loved
for what you definitely are not." "Do unto others as you would have them
do unto you."

[David W. Hodgins]

On Tue, 13 Mar 2012 14:51:55 -0400, Whoever <whoever@wherever.invalid> wrote:

> In article <4F5EA586.CCCF6F71@Guy.com>, Virus@Guy.com says...
>> Because the only clients hitting this DNS server are the ones infected
>> with some specific malware. The PC's hitting this DNS server are part

> Here is where I'm having trouble understanding what you are suggesting.
> How does that web server _know_ that this particular request is
> expecting to receive the web page actually hosted at www.acme.com? You
> seem to be suggesting that each response from the DNS server is somehow
> "tagged" to identify the desired URL (www.acme.com) back to the
> compromised computer. As far as I know, a DNS server cannot do that.

The point is that since all dns requests coming to that name sever
are coming from infected clients, it would be easy to have that dns
server only reply with valid addresses for sites useful in removing
the the trojan, and reply with an ip address that leads to a web
server that only shows an instruction page, for all other requests.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[Whoever]

In article <op.wa5ehqs6a3w0dxdave@hodgins.homeip.net>,
dwhodgins@nomail.afraid.org says...
>
> The point is that since all dns requests coming to that name sever
> are coming from infected clients, it would be easy to have that dns
> server only reply with valid addresses for sites useful in removing
> the the trojan, and reply with an ip address that leads to a web
> server that only shows an instruction page, for all other requests.


I understood that as well. It would be simple for the DNS servers to
route all requests to the equivalent of a 404 error page with
instructions on getting help. It would, of course, break non-http DNS
requests and disable things like smtp, pop, imap, nntp, etc. but most
users would probably figure it out pretty quickly.

What I was wondering about was how VG intended to implement his idea
which was somewhat different. He was going to use the DNS servers to
route the requests to a web server (as above) but that server would then
show the originally requested web page (www.acme.com in his example) but
with the equivalent of a banner ad on the page with instructions on
fixing their DNS. While it would be easy to have the web server build
such a page with content from another server and a customized banner ad,
I'm having trouble understanding how he would pass the URL of the
originally requested page to the temporary web server from the original
DNS request.


--
Whoever - but you can just call me who.
whoever@wherever.invalid

[Aardvark]

On Tue, 13 Mar 2012 23:32:37 +0000, ~BD~ wrote:

> Aardvark wrote:
>> On Tue, 13 Mar 2012 16:33:14 +0100, Bear wrote:
> [....]
>
>>> This thread would have had value for newcomers until your ilk spoilt
>>> it.
>>
>> I didn't spoil it. I was following it with interest and made *no*
>> comment until some other ****er tried to spoil it.
>>
>> BD certainly *isn't* my 'ilk', and I consider it insulting that you
>> lumped me together with him in any context.
>>
>>> Your manner is putting people off.
>>
>> The fact that I commented on someone trying to spoil the thread?
>>
>> **** off.
>>
>>
>>
>>
> I think you should apologise to 'Bear'.
>

Explain what I've done that might require any apology, ****- especially
to some random ******* lumping me in with the likes of you.

> You really are an arrogant Bar Steward.
>

You're a sto0pid ****.

> Tell him, too, that you <SNIP IRRELEVANT ****>
>
> You speak with a forked tongue, Aardvark.

Point out where that is anywhere in evidence, you slimy ****.

If you can.

That ******* accused me of being a party to something *you* tried to do.
I merely set him straight, ****.

> Folk are beginning to see your
> *real* persona

LOL. Who is the *only* person who must constantly be reminded of what
they are, ****?

> - you're making really big mistakes. <shrug>

Nope. No mistakes here, ****.



--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Virus Guy]

Whoever wrote:

> I'm having trouble understanding how he would pass the URL of the
> originally requested page to the temporary web server from the
> original DNS request.

You don't know from the DNS request what the client machine has in mind
(http, https, ftp, smtp, pop, etc).

If the client wants to do anything other than a few protocals (http,
https, maybe ftp) then it's true that there's no way to make a message
appear in front of the user's eyeballs.

The odds are that it's going to be http or https (probably 95%
certainty).

So you always return a result of 1.2.3.4 anyways.

If the infected machine comes back and tries to hit your server located
at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
strategy - things become more complicated.

You're trying to act as the infected machine's DNS server and it's
Gateway, but I guess it really can work only for http or https.

Remember that when you look at an HTTP request, the full url (including
the FQDN of the target host) is included in the request. That's because
any given web-server can host dozens of websites, so for it to know
which web-site to serve up the entire URL is included in the http get
request by the client.

It's possible that the same http server can serve up a completely
different website for acme.com and www.acme.com if it wants to.

[FromTheRafters]

Virus Guy wrote:
> Whoever wrote:
>
>> I'm having trouble understanding how he would pass the URL of the
>> originally requested page to the temporary web server from the
>> original DNS request.
>
> You don't know from the DNS request what the client machine has in mind
> (http, https, ftp, smtp, pop, etc).
>
> If the client wants to do anything other than a few protocals (http,
> https, maybe ftp) then it's true that there's no way to make a message
> appear in front of the user's eyeballs.
>
> The odds are that it's going to be http or https (probably 95%
> certainty).
>
> So you always return a result of 1.2.3.4 anyways.
>
> If the infected machine comes back and tries to hit your server located
> at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
> strategy - things become more complicated.

The bottom line is when you shut them down, they'll get the message.

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F613B3A.79C6B9AF@Guy.com:

> You're trying to act as the infected machine's DNS server and it's
> Gateway, but I guess it really can work only for http or https.

I think you owe several people an apology... We tried to explain this to
you...


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Virus Guy]

Dustin wrote:

> > You're trying to act as the infected machine's DNS server and
> > it's Gateway, but I guess it really can work only for http or
> > https.
>
> I think you owe several people an apology... We tried to explain
> this to you...

You made no such explanation, with your hahe's and lol's.

My idea for the surrogate DNS server would allow those machines to
function most of the time *AND* give their owners the message that their
machine is infected (by way of html meddling).

But what IS happening is that the surrogate DNS server is NOT giving
those owners any message at all.

If you're going to operate a temporary surrogate DNS server in the first
place -> you tell me which strategy is better.

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:4F614B2B.E7CE1761@Guy.com:

> Dustin wrote:
>
>> > You're trying to act as the infected machine's DNS server and
>> > it's Gateway, but I guess it really can work only for http or
>> > https.
>>
>> I think you owe several people an apology... We tried to explain
>> this to you...
>
> You made no such explanation, with your hahe's and lol's.

Well, I did. I laughed a bit at you too, but in fairness; I did tell you
to google how a DNS server really worked. At that point, you called me a
dumbass and proceeded to confuse web server for DNS server with your
explanation...

Btw, Had you not been such an arse about my humour, I'd likely explain
in theory how you actually could have the web and DNS servers working
together to pull off your nasty. They'd have two IPs, one internal, one
external. Wouldn't take a rocket scientist to figure out what needs to
be done next.

> My idea for the surrogate DNS server would allow those machines to
> function most of the time *AND* give their owners the message that

Your idea? You invented the DNS system?

> But what IS happening is that the surrogate DNS server is NOT giving
> those owners any message at all.

Of course not. It's resolving names to IP's, that's er, it's job.
Many clients that expect, IP data in response will not be all that
impressed if they get a url instead. I could just see xnews, pegasus,
or pidgin going "WTF?" and showing me the debug windows. lol

> If you're going to operate a temporary surrogate DNS server in the
>first place - you tell me which strategy is better.

My take on it is this...

I personally think the machine should remain offline until a competent
individual can repair the damage and setup security policies to keep it
from happening again.

As it will no longer have working DNS on it's own, the malware will have
to bring it's own server list, or, the machine is dead in the water and
no longer poses much threat to other systems. As it's owner either
doesnt know, OR more likely doesn't care, the internet loses nothing
with their departure. It gains.

When the owner gets a bill, they'll pay slightly more attention. I'm
tired of irresponsible people. Not holding them liable only increases
the problem.




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts