Results 1 to 9 of 9

Thread: Desktop DNS settings suspiciously changed pointing to Internet sites

  1. #1

    Desktop DNS settings suspiciously changed pointing to Internet sites

    Someone reported in NTBugtraq that the DNS server settings on their desktops are getting changed to point to 2 IP addresses on the Internet (216.127.92.38 and 69.51.146.14).

    It has affected W2K Pro workstations and Registry entries have been added/changed. One interesting one is:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]
    "r0x"="your s0x"

    Has anyone else seen this? I'm concerned...ok maybe paranoid (call me that if you want)...that this maybe a new worm/virus.

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    No, your not paranoid, windows operating systems are largely insecure, and new worms/virus are being released everyday.

    My problem with M$ products, is that, regardless of how secure you attempt to make it, it's still unsecure, and I'm saying this as an MCSE. Mircrosoft products suck. You always have to install 3rd party addons to keep your system relatively secure. I think the best way to secure a windows machine, is to remove the network card, and unplug the keyboard. lol

    Any other opinions in the matter?


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    This is a spyware problem easily fixed with Spybot S&D. I have had about 10 calls about this today...

    http://security.kolla.de/

    EDIT: As it seems right now, there are several variations of this thing out there. The one we have points to NS1.AOL.COM and can be removed with Spybot. The others are not responding to this approach.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    We just found one PC infected with this in-house and am currently combing through it. An updated Spybot S&D on the machine itself hasn't detected it, neither had Adaware. It had 69.57.146.14 as the DNS server.

    thehorse13: what's the name of this critter?

    We have found the registry entries along with a strange INI file and there are reports on NTBugtraq that a web site causes a program to be downloaded, run, and then deleted. Yeh, nothing new I know but so far dont know what this thing is.

    More to come...

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    The Full Disclosure mailing list has indicated this is the Qhosts-1 worm/trojan.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    SANS had a decent writeup on this here (work in progress):

    http://isc.sans.org/diary.html?date=2003-10-01
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7

    Unhappy QHosts1 it is...it's a DNS-hijacking trojan

    MsMittens is right: Network Associates is calling it Qhosts-1.

    It changes DNS setting AND the hosts file. It does this through exploiting the object type vulnerability Microsoft patched with MS03-032.

    I've read that the MS patch doesn't work and MS is working on a re-issue...anyone know more on this? Supposedly turning off Active-X is the only way to protect against this at this time (until fixed patch is released) - per this article.

    Ugh, Microsoft!

  8. #8
    I thought that the correct patch was MS03-040. I actually got called out to clean a machine that was infected with this this week. Here's the info I found on SARC:
    http://securityresponse.symantec.com...an.qhosts.html

  9. #9
    MS03-040 DOES patch this vulnerability properly. As I stated in my earlier post the trojan exploits the vulnerability MS originally tried to patch in MS03-032 but that patch didn't work.

    We are deploying the MS03-040 patch throughout our enterprise due to the ease of exploitation and severity.

    Hope your deployment is going well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •