October 1st, 2003, 06:09 PM
Desktop DNS settings suspiciously changed pointing to Internet sites
Someone reported in NTBugtraq that the DNS server settings on their desktops are getting changed to point to 2 IP addresses on the Internet (18.104.22.168 and 22.214.171.124).
It has affected W2K Pro workstations and Registry entries have been added/changed. One interesting one is:
Has anyone else seen this? I'm concerned...ok maybe paranoid (call me that if you want)...that this maybe a new worm/virus.
October 1st, 2003, 06:16 PM
No, your not paranoid, windows operating systems are largely insecure, and new worms/virus are being released everyday.
My problem with M$ products, is that, regardless of how secure you attempt to make it, it's still unsecure, and I'm saying this as an MCSE. Mircrosoft products suck. You always have to install 3rd party addons to keep your system relatively secure. I think the best way to secure a windows machine, is to remove the network card, and unplug the keyboard. lol
Any other opinions in the matter?
October 1st, 2003, 06:22 PM
This is a spyware problem easily fixed with Spybot S&D. I have had about 10 calls about this today...
EDIT: As it seems right now, there are several variations of this thing out there. The one we have points to NS1.AOL.COM and can be removed with Spybot. The others are not responding to this approach.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
October 1st, 2003, 09:55 PM
We just found one PC infected with this in-house and am currently combing through it. An updated Spybot S&D on the machine itself hasn't detected it, neither had Adaware. It had 126.96.36.199 as the DNS server.
thehorse13: what's the name of this critter?
We have found the registry entries along with a strange INI file and there are reports on NTBugtraq that a web site causes a program to be downloaded, run, and then deleted. Yeh, nothing new I know but so far dont know what this thing is.
More to come...
October 1st, 2003, 10:40 PM
The Full Disclosure mailing list has indicated this is the Qhosts-1 worm/trojan.
October 1st, 2003, 10:44 PM
SANS had a decent writeup on this here (work in progress):
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
October 1st, 2003, 11:35 PM
QHosts1 it is...it's a DNS-hijacking trojan
MsMittens is right: Network Associates is calling it Qhosts-1.
It changes DNS setting AND the hosts file. It does this through exploiting the object type vulnerability Microsoft patched with MS03-032.
I've read that the MS patch doesn't work and MS is working on a re-issue...anyone know more on this? Supposedly turning off Active-X is the only way to protect against this at this time (until fixed patch is released) - per this article.
October 10th, 2003, 09:00 PM
I thought that the correct patch was MS03-040. I actually got called out to clean a machine that was infected with this this week. Here's the info I found on SARC:
October 11th, 2003, 02:12 AM
MS03-040 DOES patch this vulnerability properly. As I stated in my earlier post the trojan exploits the vulnerability MS originally tried to patch in MS03-032 but that patch didn't work.
We are deploying the MS03-040 patch throughout our enterprise due to the ease of exploitation and severity.
Hope your deployment is going well.