Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS abnormalitities - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS abnormalitities

**** UPDATE ****
The odd DNS issues are likely caused by the QHosts-1 Trojan. For details see:

http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=100719

http://vil.nai.com/vil/content/v_100719.htm
********
As initially posted to the SANS intrustions list, some sites observe an increase
in abnormal DNS queries. For the original post, see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00003.html

A likely related issue has been reported to NT Bugtraq:
http://www.ntbugtraq.com/default.asp?pid=36sid=12A2=ind0310&L=ntbugtraq&D=0&F=P&P=1048

Here, a user reported that "Various Windows 2000 professional workstations are changing the DNS servers they are configured to use". The new DNS server, 216.127.92.38 and 69.57.146.14, is hosted by 'Everyone's Internet Inc.', (ev1.com).

This user did report suspicous changes to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]

"r0x"="your s0x"

"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]

"T2"=dword:3e057410

"LeaseTerminatesTime"=dword:3e067130

"LeaseObtainedTime"=dword:3dfe8830

"T1"=dword:3e027cb0

"NameServer"="69.57.146.14"
for more details, see this NT Bugtraq post:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0&F=P&P=1879
------

If you would like to share any related logs, please send them to isc_AT_sans.org
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!