DNS hacked/hijacked

[clint]

I'm having a strange problem It started on the October 1.
When I came how from work, my internet wouldn't work but
my local home lan worked fine. So I thought maybe I had a
virus or got hacked. I ran fport (a security tool by
foundstone.com) and noticed something strange, a program
running on UDP port 2888 (even though my net wasn't
working).

I pulled up taskmgr and noticed 2 unfamiliar programs that
I usually don't see running mshta.exe and wisptis.exe. I
was thinking maybe somehow I got an mshta exploit? I'm on
Windows 2000 Pro. I have all patches and services packs, I
have the lastest virus sigs from Norton (Symantec Corp
AV), I have Ad-Aware, and a pop up blocker too. I ran a
virus scan and it found nothing. I hadn't downloaded any
program, I don't use or even have Outlook installed and I
don't download attachments unless someone tells me they
are sending me one. Plus I haven't downloaded any
attachments in a long time.

Anyway I did end task on those two exe's. I checked the
usual virus prone registry areas for naught keys but
nothing was there. Ran Ad-Aware and it didn't find any spy
crap even. I have noticed that my pop up blocker doesn't
seem to be working as well as it was before.

By this time I was really starting to wonder what the hell
is going on? I checked my event logs and I noticed at
10:54PM Central (Oct 1) that there was a DNSCache error.
So I looked my tcp/ip config and my dns servers were set
to something they shouldn't be! Usually it is on
automatically obtain. I didn't change it and no one had
access to my computer. The DNS addresses were:
69.57.146.14
69.57.147.175
So once I changed those to automatically obtain, my
internet worked again. Still www.google.com wouldn't work.
I went to bed.

Today after school and work I started in on the problem
again. I did a ping of www.google.com:
Pinging www.google.com [207.44.194.56] with 32 bytes of
data:Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms TTL=49

The ip didn't work either so I did nslookup on
www.google.com:
Server: blizzard.--edit--.net
Address: --edit--

Name: www.google.akadns.net
Address: 216.239.41.99
Aliases: www.google.com

That ip does work for google. So now I was confused. I did
ipconfig /flushdns and stopped and started the DNS
Service. Then I did ipconfig /displaydns and wow, I had
tons of entries! It filled a .txt file with 66kb worth of
entries when I piped it out. Now the weird part, they are
all search engines! There are many different search
engines (google included) which have this in common from
my /displaydns output:
Record Type . . . . . : 1
Time To Live . . . . : 31530094
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.194.56

There are tons of entries:
www.google.at
google.com.sg
search.yupimsn.com
search.ninemsn.com.au
search.msn.com.tw
go.google.com
www.google.nl
www.hotbot.com
search.msn.co.in
www.google.fr
search.msn.ch
search.msn.de
fr.ca.search.msn.com
auto.search.msn.com
google.co.il
search.yahoo.co.jp
www.lycos.com
web.ask.com
search.msn.it
google.pl
search.msn.fi
search.msn.com.sg
www.google.se
search.msn.dk
google.com
www.google.uk
search.msn.be
google.com.hk
www.google.com.ru
search.msn.fr
www.ask.com
altavista.com
www.google.com.tw
www.google.pl
search.latam.yupimsn.com
search.msn.com.br
search.msn.es
search.msn.co.za
www.google.com.tr
alltheweb.com
88.88.88.88.in-addr.arpa
google.com.mx
search.msn.at
www.google.pt
search.msn.no
56.194.44.207.in-addr.arpa (105 entries of this!)
www.teoma.com
search.t1msn.com.mx
www.google.com
search.msn.nl
search.lycos.com
www.google.com.sg
search.msn.com.hk
search.msn.com.my
uk.search.msn.com
www.google.com.au
search.fr.msn.ch
uk.search.yahoo.com
www.looksmart.com
hotbot.com
www.google.com.gr
www.google.co.nz
www.google.com.hk
www.google.co.jp
www.google.co.kr
de.search.yahoo.com
www.altavista.com
search.fr.msn.be
www.lycos.co.jp
www.google.com.mx
ca.search.yahoo.com
ask.com
www.lycos.ca
search.yahoo.com
www.lycos.jp
google.ca
ca.search.msn.com
google.it
search.msn.com
google.fi
google.dk
www.google.co.il
google.be
www.lycos.de
search.xtramsn.co.nz
elite
www.google.ca
search.msn.co.jp
search.msn.co.kr
www.google.it
google.de
www.google.akadns.net
search.aol.com
www.google.fi
google.com.ru
www.google.jp
jp.search.yahoo.com
www.google.dk
search.msn.se
google.co.nz
www.google.be
google.ie
google.co.kr
google.at
www.google.co.uk
www.google.ch
au.search.yahoo.com
www.google.de
www.google.co.th
google.nl
www.google.ie
google.fr

In total there were 220 entries with the same record info!
105 of the entries are 5 6.194.44.207.in-addr.arpa too.
207.44.196.56 resolves to paola.hostingminds.com. The
domain hostingminds.com is just a holding place page and
the paola subdomain is a plesk server admin holding place
page.

69.57.146.14 - doesn't resolve
69.57.147.175 - doesn't resolve
207.44.196.56 - paola.hostingminds.com

All the addresses trace back to a netblock owned by
Everyone's Internet (I used
http://visualware.visualroute.com to trace).
My dns cache won't get rid of those addresses. My DNS got
hijacked/hacked somehow it looks. Not sure how since I'm
very security conscious, in fact this is the first time
anything has ever happened to my computer. Thanks for
reading all this and I'm looking forward to comments.

 

[clint]

I forgot to add two other pieces of info:
207.44.194.56 - doesn't resolve but goes to a netblock
owned by Everyone's Internet.

Everyones Internet: www.ev1.net

Also when I first noticed to problem on Oct 1, the first
time I rebooted it Windows complained about command.com
and I had to end task on it. I thought windows 2000 uses
cmd.exe? I thought that was weird since I've never gotten
that before when I have rebooted. Also those 2 .exe's in
question didn't start back up when I rebooted since then.
Not sure if they had anything to do with it. wisptis.exe
looks like it might be for my Logitech mouse. mshta.exe is
the only exe I can't account for. Norton says no viruses
though. Really strange. Hopefully someone will reply to
this by the time I wake up tomorrow. Sorry about all the
grammar mistakes, forgotten words, or wrong words in the
previous post. I was making it as quickly as possible.

 

[Jonathan de Boyne Pollard]

c> I'm having a strange problem [...]
c> [...] I looked my tcp/ip config and my dns servers were
c> set to something they shouldn't be! Usually it is on
c> automatically obtain. [...] The DNS addresses were:
c> 69.57.146.14 [and] 69.57.147.175
c> I did ipconfig /displaydns and wow, I had tons of entries!
c> It filled a .txt file with 66kb worth of entries [...]
c> Now the weird part, they are all search engines! [...]
c> My dns cache won't get rid of those addresses. [...]
c> The first time I rebooted it Windows complained about command.com [...]

You've been hit by the "Delude.B" trojan. This trojan uses a bug
in Microsoft's Internet Explorer (which, according to CERT Incident
Note IN-2003-04, has not been properly fixed) that allows web page
authors to write web pages that will cause Internet Explorer to
automatically download and execute whatever programs the web page
author desires. So at some point you've displayed a web page that
caused this trojan to be downloaded and run.

The trojan changes the proxy DNS servers that your DNS Client is
configured to use, to the addresses of two machines assigned to
Everyone's Internet which were discovered to have been compromised
and which have since been taken out of service. The intent of the
attacker was clearly to run a proxy DNS service providing
name->address mappings of his/her choosing, in order to impersonate
services without your being any the wiser.

The trojan also populates your "HOSTS" file with a large number
of entries, mapping the names of several widely used web sites to
an IP address whose content HTTP service the attacker intended to
control. The intent of the attacker was clearly, again, to
impersonate services without your being any the wiser. The fact that
these are search engines is not weird, therefore.

The reason that flushing the DNS Client cache does not cause these
mappings to go away is that Microsoft's DNS Client automatically
initially populates its cache from the content of the "HOSTS" file.
You must edit the "HOSTS" file itself for these mappings to go away.

The trojan does not stick around. It performs its task and then
deletes itself from the machine. Since running executables in Win32
cannot delete themselves, it does this by spawning a command
interpreter, passing it a command script containing commands to
delete both the executable and the script. My educated guess is
that the NTVDM process running COMMAND was caused by a witless novice
coding error on the part of the author of the trojan: hard-wiring
"COMMAND" as the name of the command interpreter that it invokes
instead of looking at the value of the %COMSPEC% environment
variable to find what command interpreter to use, as one should.

<URL:http://www.cert.org./incident_notes/IN-2003-04.html>
<URL:http://f-secure.com./v-descs/delude.shtml>

 

[Guy Lee]

You have a virus.
Check out http://vil.nai.com/vil/content/v_100719.htm for information
and instructions for removal.

Good Luck.

 

[Randall]

I forgot to add two other pieces of info:
207.44.194.56 - doesn't resolve but goes to a netblock
owned by Everyone's Internet.

Everyones Internet: www.ev1.net

Also when I first noticed to problem on Oct 1, the first
time I rebooted it Windows complained about command.com
and I had to end task on it. I thought windows 2000 uses
cmd.exe? I thought that was weird since I've never gotten
that before when I have rebooted. Also those 2 .exe's in
question didn't start back up when I rebooted since then.
Not sure if they had anything to do with it. wisptis.exe
looks like it might be for my Logitech mouse. mshta.exe is
the only exe I can't account for. Norton says no viruses
though. Really strange. Hopefully someone will reply to
this by the time I wake up tomorrow. Sorry about all the
grammar mistakes, forgotten words, or wrong words in the
previous post. I was making it as quickly as possible.

I don't think it is a rogue program. Check you winnt/help/hosts file.
You you will most likely find all the websites listed there. Delete
them and reboot. I am investigating the cause now.


Randall Cole

 

[clint]

Yeah it was the Trojan.Qhosts that got me. Dunno which
page give to me though. Oh well, I had it fixed by Friday.

 

[Curious]

i am affected by the same virus, how can we fix it, i change my DNS server
back to what it should be, but i can not go to the google.com and can not
flush the DNS cache, i check my hosts files they are empty.


--
Curious

MCSE, CCNP

c> I'm having a strange problem [...]
c> [...] I looked my tcp/ip config and my dns servers were
c> set to something they shouldn't be! Usually it is on
c> automatically obtain. [...] The DNS addresses were:
c> 69.57.146.14 [and] 69.57.147.175
c> I did ipconfig /displaydns and wow, I had tons of entries!
c> It filled a .txt file with 66kb worth of entries [...]
c> Now the weird part, they are all search engines! [...]
c> My dns cache won't get rid of those addresses. [...]
c> The first time I rebooted it Windows complained about command.com [...]

You've been hit by the "Delude.B" trojan. This trojan uses a bug
in Microsoft's Internet Explorer (which, according to CERT Incident
Note IN-2003-04, has not been properly fixed) that allows web page
authors to write web pages that will cause Internet Explorer to
automatically download and execute whatever programs the web page
author desires. So at some point you've displayed a web page that
caused this trojan to be downloaded and run.

The trojan changes the proxy DNS servers that your DNS Client is
configured to use, to the addresses of two machines assigned to
Everyone's Internet which were discovered to have been compromised
and which have since been taken out of service. The intent of the
attacker was clearly to run a proxy DNS service providing
name->address mappings of his/her choosing, in order to impersonate
services without your being any the wiser.

The trojan also populates your "HOSTS" file with a large number
of entries, mapping the names of several widely used web sites to
an IP address whose content HTTP service the attacker intended to
control. The intent of the attacker was clearly, again, to
impersonate services without your being any the wiser. The fact that
these are search engines is not weird, therefore.

The reason that flushing the DNS Client cache does not cause these
mappings to go away is that Microsoft's DNS Client automatically
initially populates its cache from the content of the "HOSTS" file.
You must edit the "HOSTS" file itself for these mappings to go away.

The trojan does not stick around. It performs its task and then
deletes itself from the machine. Since running executables in Win32
cannot delete themselves, it does this by spawning a command
interpreter, passing it a command script containing commands to
delete both the executable and the script. My educated guess is
that the NTVDM process running COMMAND was caused by a witless novice
coding error on the part of the author of the trojan: hard-wiring
"COMMAND" as the name of the command interpreter that it invokes
instead of looking at the value of the %COMSPEC% environment
variable to find what command interpreter to use, as one should.

<URL:http://www.cert.org./incident_notes/IN-2003-04.html>
<URL:http://f-secure.com./v-descs/delude.shtml>

 

[Curious]

here is a Solution to this problem

http://clk.about.com/?zi=1/XJ&sdn=antivirus&zu=http://vil.nai.com/vi
l%2Fcontent%2Fv_100719.htm


--
Curious

MCSE, CCNP

c> I'm having a strange problem [...]
c> [...] I looked my tcp/ip config and my dns servers were
c> set to something they shouldn't be! Usually it is on
c> automatically obtain. [...] The DNS addresses were:
c> 69.57.146.14 [and] 69.57.147.175
c> I did ipconfig /displaydns and wow, I had tons of entries!
c> It filled a .txt file with 66kb worth of entries [...]
c> Now the weird part, they are all search engines! [...]
c> My dns cache won't get rid of those addresses. [...]
c> The first time I rebooted it Windows complained about command.com [...]

You've been hit by the "Delude.B" trojan. This trojan uses a bug
in Microsoft's Internet Explorer (which, according to CERT Incident
Note IN-2003-04, has not been properly fixed) that allows web page
authors to write web pages that will cause Internet Explorer to
automatically download and execute whatever programs the web page
author desires. So at some point you've displayed a web page that
caused this trojan to be downloaded and run.

The trojan changes the proxy DNS servers that your DNS Client is
configured to use, to the addresses of two machines assigned to
Everyone's Internet which were discovered to have been compromised
and which have since been taken out of service. The intent of the
attacker was clearly to run a proxy DNS service providing
name->address mappings of his/her choosing, in order to impersonate
services without your being any the wiser.

The trojan also populates your "HOSTS" file with a large number
of entries, mapping the names of several widely used web sites to
an IP address whose content HTTP service the attacker intended to
control. The intent of the attacker was clearly, again, to
impersonate services without your being any the wiser. The fact that
these are search engines is not weird, therefore.

The reason that flushing the DNS Client cache does not cause these
mappings to go away is that Microsoft's DNS Client automatically
initially populates its cache from the content of the "HOSTS" file.
You must edit the "HOSTS" file itself for these mappings to go away.

The trojan does not stick around. It performs its task and then
deletes itself from the machine. Since running executables in Win32
cannot delete themselves, it does this by spawning a command
interpreter, passing it a command script containing commands to
delete both the executable and the script. My educated guess is
that the NTVDM process running COMMAND was caused by a witless novice
coding error on the part of the author of the trojan: hard-wiring
"COMMAND" as the name of the command interpreter that it invokes
instead of looking at the value of the %COMSPEC% environment
variable to find what command interpreter to use, as one should.

<URL:http://www.cert.org./incident_notes/IN-2003-04.html>
<URL:http://f-secure.com./v-descs/delude.shtml>