Mass DNS Poisoning...
Results 1 to 9 of 9

Thread: Mass DNS Poisoning...

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    Mass DNS Poisoning...

    FYI....

    According to the Internet Storm Center they have had several reports of wide-spread DNS poisoning of several sites including google.com, ebay.com and weather.com. We have investigated the sites that are reportingly redirecting users to and they attempt to install and download code and an Active X piece called ABC Search Webinstall. There is also a file called mhh.exe (I have a copy if anyone wants it) that appears to be Spyware that they attempt to download.


    DON'T CLICK ON THIS LINK UNLESS YOU WANT THE INSTALLER (mhh.exe) TO BEGIN.
    http://www.7sir7.com/abx_search_webi.../download.html

    Internet Storm Center Details:
    http://isc.sans.org//index.php

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    LOL... FYI everyone, TH13's first link is to a site reportedly affected by this...I haven't followed it, but from the ISC entry:
    Popular domain names such as google.com, ebay.com, and weather.com are being directed to the following servers. Of course when connecting to these servers, "bad things" (tm) will happen, so don't go to them.

    http/:www.7sir7.com (217.160.169.87)
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    The mhh.exe file is the installer for this....

    http://www.besttoolbars.net/

    Don't be a clown and get yourself infected. This means DON'T F#CKING click on it. Hows's that for a disclaimer Zen? LOL.

    Anyway, I figured that most here would see the URL and understand what it is. Perhaps I should resort back to the assumption of dumbness rule. Heh.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Perhaps I should resort back to the assumption of dumbness rule.
    Perhaps????? C'mon Hoss, you getting senile?

    Actually, I was waiting for this. ISC reported a month or so ago a small scale DNS poisoning event. The only reason I could see for it was a "dry run"....

    Nasty too that they do it late on a friday.... Just before everyone goes home for the weekend and is out of contact of those who might know about this kind of thing... Their IT chaps.... Nicely planned... All those google etc. hits over the weekend.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Perhaps????? C'mon Hoss, you getting senile?
    I can't remember. LOL.

    Whenever I'm operating within my environment, the dumbness flak jacket is always on. I figured this place was still somewhat safe to remove it. I stand corrected.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Damm. Google is still find to me!

    Friday = They gonna miss all the coorporate user! Bad timming!
    -Simon \"SDK\"

  7. #7
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    The good news is it looks like the 7sir7 site has been taken down! DNS lookup still resolves but nothing on port 80 anymore (used WGET to try to grab page and look at it).


  8. #8
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    Since this is the topic of conversation right now, how exactly does dns poisoning work and why didnt this attack spread further or cause more damage than it did already.....

    What other impacts do you see spawning from this? From my slim understanding if this had been used for phishing (I am sure it will happen rather soon) what impacts could this have. does this only affect the name or does it affect the IP as well?

    Would like to learn some more on this pharming technique
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It is possible to poison DNS by informing a server that a particular asset is at an IP address other than the one it really is located. There are a few ways of doing this, see here for an example.

    Once the Server is poisoned then all requests to it will return the wrong IP for the asset that has been poisoned. The magnitude of the effect depends on the "level" of the DNS server. If I poison a server in my private domain then the only clients affected are my own. If I poison my ISP's server then all my ISP's customers are susceptible to the poisoning. If I can poison the root servers the entire internet would be poisoned.

    The thread I started here is a beneficial example of DNS Poisoning.

    [EDIT]

    Fixed my Ooops on the second link....

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides