"Med Network" exploit, Is it for real?

[jayhawker]

Just read this article http://www.atsnn.com/story/105049.html at abovetopsecret.com about a new internet wide exploit that is just now being seen by admins. Is this real? Have any of you ran into this problem yet?

[Striek]

the hijack may be happening on the DNS level rather than on an individual user's computer

Yeah. Sure. They hacked every nameserver on the planet and redirected them all to med network. I believe that.

And then after they tell the reader that the problem is not on their computer, they proceed to recommend

If you find your internet browser sending you to the Med Network site, you will need to flush your local DNS cache (for Windows 200x & Windows XP):

1. Close your browser
2. Click on your start menu, then click on "Run"
3. Type cmd in the box that appears
4. A new command prompt window will open. Type ipconfig /flushdns
5. Hit the enter key
6. Close the command prompt window.

Which sure as hell won't flush my ISP's nameserver.

A load of bull, I think. Probably just a virus fecking around with DNS queries locally that manages to hide itself very well. I've seen this type of thing before. As for nuking the system and starting from scratch, did the person test his / her installation media for viruses?

[Tiger Shark]

Actually, looking around, there is some stuff on this but nothing sensible.

Can you do a google for "Hijack This", d/l it, run it, save the results, (don't do anything), and post it here as an attached txt file.... There are a couple of others out there and I'd like to see if there is a commonality between yours and the others, Thanks

[jayhawker]

I haven't seen it yet on any of mine, just wondering if any of you have encountered it, or even if it is real.

[nihil]

Quite sophisticated for a hoax?

If it is on the local machine then you would see something............registry entries,dropped files or whatever.

If it was the ISP's servers the whole industry would be up in the air like the fourth of July.

No details, no substantiation, not EVEN the default page path in the browser............no screenshots? HELL it hasn't even drunk all the beer in my fridge

Until someone proves different I am calling "hoax" on this one..............hell they are saying that it has been around for three weeks...................now if "Uncle Sam" can't get a scumsite closed in THREE WEEKS.................I would suggest that we get the hell out of Iraq and all retreat to our bunkers?

If you want to read about a real one, try here, I got the heads up about 15 minutes ago:

http://www.trendmicro.com/vinfo/viru...me=WORM_ZAFI.D

Cheers

[Striek]

In my experience with removing this type of browser hijack, I am led to believe, as I said earlier, that this type of spyware actually hijacks the DNS request via a system library somewhere. I haven't yet analyzed the code to actually figure it out.

I have, however, eliminated any other cause I can think of, such as cache poisoning and HOSTS file manipulation.

Running ethereal on victim machines, I have seen normal DNS requests from IE browsers actually get sent out as requests for other pages, such as might be happening in this case. Nslookup requests and other browsers usually resolve these addresses fine, which is what leads me to believe that this is some sort of virus affecting Windows DNS query code. Nslookup and other browsers remain unaffected since they rely on thier own code to perform these requests.

Interestingly, removing the offending malware has in many situations completely broken Windows DNS resolution, which further supports this theory. Once again, while IE is completely unable to resolve addresses, as is Windows Explorer, nslookup and mozilla remain unaffected.

It would be interesting to infect a machine with it and figure out which files get changed, then reverse engineer libraries or try some strings searches to figure out exactly what happens. If anybody knows of where to delibertely infect a machine with this crap, please post a link as I have not had the oppurtunity to image an infected drive yet and don't know where this comes from.

<edit>
I removed a bunch of spyware from a Windows laptop for a roommate and IE DNS resolution stopped working. I can't remember whether I fixed it or installed Netscape. If I just put Netscape on, then the box likely still has that spyware on it. But dammit she's gone home for the holidays now.
</edit>

[nihil]

Hey Striek,

I have several test boxes free at the moment so if anyone can supply a sample?

Cheers

[nihil]

I have found some more.

It is not a local desktop level problem, it seems to be a DNS server level problem and has hit some ISPs.

I found this on a Windows ME support site:

http://reviews.cnet.com/5208-6141-0....ssageID=610451

Perhaps this will get ISPs to take things a bit more seriously?

[Striek]

Yeah. Sure. They hacked every nameserver on the planet and redirected them all to med network. I believe that.

Well, I stand corrected sir! Indeed they did infect some nameservers.

I must be remembering different problems.

In that case, just use other nameservers (after you tell your ISP of the problem). I have a couple written down around here just in case my ISP's servers go down.

Oh well, I can't always be right...

[nihil]

Well Striek,

I was wrong about the hoax bit...............except that the article we saw was "hysterical" rather than factual


I guess that these guys have gone a scam too far..............mess with ISPs and Corporates and you will bring down the big guns?

I wait with eager anticipation.................