EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster

A growing problem has started cropping up on the internet over the last month. It started early in November when internet help forums started receiving reports about what initially appeared to be a browser hijack of some sort: "My browser is constantly going to this "Med Network" home page. Doesn't matter what web page I try. It's an online pharmacy page." When standard removal methods for a browser hijack failed, however, people began to look closer at the problem. What they found has left many industry experts fearing the worst - the potential for this exploit to cripple the internet as a whole.

An early sign of the problem surfaced when some websurfers noticed an unusual graphic appearing in place of the image that should be there. An affected user might see, for example, the "prescription medication" image appear on their own website in place of the graphic they'd placed there despite having made no changes to the page.

Further reports began coming in of common websites such as Amazon.com or Google.com being redirected to the Med Network website (screen capture image of site). While fewer people noticed the initial image takeover, the redirection to a new website was patently obvious.

This isn't limited to one type of computer, operating system, or internet browser. The problem has been reported on people using Windows, Mac OS, Unix, and other operating systems. It happens on internet browsers including Internet Explorer, Netscape, Firefox, and Opera.

There are several programs on the market, termed adware and/or spyware removers, which take care of a standard browser hijack. Users who found themselves victim to the Med Network redirect were advised by security professionals to utilize these tools, but it was quickly determined that none of them worked.
"... I downloaded and ran CWShredder, Spy Subtract, and a few other free downloads - all to no avail. I can't get rid of the "Med Network."

As the problem spread, system administrators and other industry professionals found themselves faced with entire corporate networks being affected by the Med Network exploit. Armed with more knowledge than an average web user, they attempted more extreme correction methods.
all tests negative. No trojans or exploits found ... suspecting this is some new virus or spyware, i went for full partition format. full c: format with fresh sp2 installation. this time installed kaspersky and zone alarm pro. Again updated all using [my account], then logged into [ISP]. 5 mins later (that means for 5 mins it worked normally. All the right pages opening based on correct url's) i get the same ... [Med Network] page."
In layman's terms, this individual encountered the exploit and used some advanced programs to try and isolate the problem. When he was unable to do so, he completely erased everything from his computer (including all traces of Windows) and reinstalled the programs. Ideally, this should remove any malicious software, such as a virus. Within 5 minutes of signing back online, he encountered the exact same redirection to the Med Network homepage.

This is one of the early clues that we are not looking at a virus or a piece of spyware -- at least, not like any the internet's ever encountered before.

The first issue to consider is regarding the redirection to the Med Network website (screen capture image of site).
As of yet it is unknown exactly how this redirection is happening. There is apparently no malicious software involved, so the hijack may be happening on the DNS level rather than on an individual user's computer. DNS, simply put, is how the internet connects your computer to the website you choose to view. If you want to view abovetopsecret.com, for example, a DNS server translates "abovetopsecret.com" into the unique numerical 'address' assigned to this website. It is similar to translating the tones when a phone number is dialed and causing the person you're calling's telephone to ring. By altering that translation process on the internet, the web address you type in your browser can instead send a user to any website a hacker chooses.
Significant issues exist in forced redirects like this. A hacker can create code and place it on the website which can steal a user's personal information. In some cases, this can include passwords and credit card information.

The second, and more potentially damaging, issue to consider is regarding the image takeover.
By some unknown means, a third party has found a way to redirect this image from a remote web server. When a computer user who is affected by this exploit views a website, this image appears in place of one that should be there. To a non-affected user, the original image appears normally.
If this image is being forcibly inserted, then other types of files or code can be inserted just as easily. A small piece of program code can be served to an affected user; if enough users are affected and if the code is destructive enough, there exists the very real possibility that such an "army" of infected computers could bring the internet as a whole to its knees.

This exploit isn't delivered by any of the normal means of virus transmission. It isn't sent in an email, nor is it hidden in a program someone can download. At this point, it appears that it is randomly "forced" onto a computer and/or network, and that's not something that can yet be prevented by firewalls or antivirus software.
In addition, if initial fears are correct that this is a vulnerability in the very backbone of the internet, there may not be a program that can protect a computer from becoming infected.

As of this writing, a temporary solution to the problem has been discovered. It is important to note that the solution is only temporary and in no way alleviates the greater issues at play. It can, however, reder an affected user's computer able to browse the internet normally for a time.
If you find your internet browser sending you to the Med Network site, you will need to flush your local DNS cache (for Windows 200x & Windows XP):

1. Close your browser
2. Click on your start menu, then click on "Run"
3. Type cmd in the box that appears
4. A new command prompt window will open. Type ipconfig /flushdns
5. Hit the enter key
6. Close the command prompt window.
7. **IMPORTANT** Return to the website you were visiting or attempting to visit when the redirection occurred, change your passwords, and remove any personal information (such as credit card numbers) you have on file at that website.


Sources:
CNET.com
majorgeeks.com
tech-arena.com
tek-tips.com
computercorps.biz


[edit on 14-12-2004 by Banshee]

nice post.

this thing freaks me out abit who could program such a thing?
I hope it is fixed soonseems to effect ISP's and not PC's strage,

I remember a few weeks ago, the EXTERNAL adservers (owned by by a company that also redirects the ads for other sites) of www.nu.nl was hacked, was indirectly attacked with MS SQL-exploit and they updated the redirectors in the database. They gained access to the adservers via the load-balancing server wich controlled the adservers and ran MS SQL (with admin right!) as backbone.

Problem looks very similar, should be a server problem not a desktop problem.

They reinstalled and (FINALLY!)also the long overdue SQL patch that should have been months ago. Problem gone.



[edit on 14-12-2004 by Countermeasures]

My Browser has been acting real strange itself, I rarely ever download anything and dump all emails that are not from anyone I do not know. I decided to to a control alt delete to see what was actually running in the background. I found something called "webrebates", "Jey", "Bargains", when I try to end task, they multiply as "webrebates0" then "webrebates1", I went into my control panel and pulled up add/remove programs and found something I never installed, to uninstall the program it directs you to a site that is no longer available. The site is "http://looking-for-cc/uninstall/HomeSearchAssistant". This site is actually owned by a Russian named Pavel Pertretsky, I have tried to contact him multiple times on how to uninstall this program because it basically screwed up my browser and I cannot minimize or shut programs using the "X" close and cannot set my Internet options to the homepage I want because it will automatically default to "about:blank".. Anybody else having these issues or know a trick to get rid of this..

Thanks

Originally posted by Countermeasures
Problem looks very similar, should be a server problem not a desktop problem.

While similar in it being a redirect issue, this particular exploit seems to be a bit higher up the pecking order.
It's not a "hack" on a sepecific server or a vulnerability in a particular language (i.e. SQL) ... it looks like it could be a loophole in how the internet itself is structured.

This isn't a desktop problem, and that's what makes it all the more potentially damaging. If it were a desktop problem, like Windows security holes, a patch could be issued.
How can you issue a patch for something like this?

Originally posted by Banshee
This isn't a desktop problem, and that's what makes it all the more potentially damaging. If it were a desktop problem, like Windows security holes, a patch could be issued.
How can you issue a patch for something like this?

You can't, or at least not without taking the internet down, fixing the problem, and then starting it back up. Can you imagine the world trying to function for even a week without the internet? You'd basically have to but the entire global economy on hold for however long it took. Wow. Although this would be great incentive for more international cooperation.

A combination of:
HiJackThis, Spybot S&D and AdAware will get rid of any kind of browser hijack, spyware, adware, malware etc.
Haven't had trouble with anything since I regularly started scanning my computer with all these. Spybot also comes with an adblocker that prevents commercial images from being shown @ websites

JustMyType,

Have you run Adaware or Spybot Search and Destroy?

If not you should, you are the victim of either spyware or malware.

Originally posted by phlake
A combination of:
HiJackThis, Spybot S&D and AdAware will get rid of any kind of browser hijack, spyware, adware, malware etc.

I repeat....

this is NOT caused by software or viruses on someone's computer.
Those programs will not fix this problem.

This is a potential vulnerability with how the internet itself is built. A program to fix that does not exist.

In addition, ad-blocking software will not do anything about the image hijack involved with this. Any image, including avatars or boring old graphics, can be replaced with the Med Network ad.

[edit on 14-12-2004 by Banshee]

Originally posted by Kriz_4
Have you run Adaware or Spybot Search and Destroy?

BEWARE! Last time I down loaded spybot, it installed adds in the system. The retarted thing is that it would also caught the adds, but they would just reinstall upon rebooting.

Here is an article about DNS cache poisining. This seems to be what is going on and has been a problem for some years it seems.

www.securityfocus.com...

Originally posted by Jamuhn
Here is an article about DNS cache poisining. This seems to be what is going on and has been a problem for some years it seems.

www.securityfocus.com...

Excellent article!
This is similar to cache poisoning, but apparently it's got a greater damage potential. While poisoning generally affects a single website (say, Citibank, for example), this affects what appears to be random websites. Sometimes it's every site an affected user visits, sometimes it's one innocuous site, and, from what I've heard, sometimes it's a site where personal information is transferred (i.e. credit card numbers).

I would download the latest version of Ad-aware from Lavasoft.
Then update to the newest definitions and run the deep system scan.

McAfee Internet Security Suite also has a spyware tool.

If you did a complete reformat, then reloaded any infected software or applications
that might also explain your troubles.

I haven't heard of any problems from the Mac community.

I don't think this is a broswer hijack. It sounds like someone is infecting DNS servers and when your computer makes a request, another page/object will be returned instead of what you were looking for. This is why flushing the DNS works right? You lose the infected DNS servers, but sometimes you will eventually pick them back up again.

Originally posted by Justmytype
My Browser has been acting real strange itself, I rarely ever download anything and dump all emails that are not from anyone I do not know. I decided to to a control alt delete to see what was actually running in the background. I found something called "webrebates", "Jey", "Bargains", when I try to end task, they multiply as "webrebates0" then "webrebates1", I went into my control panel and pulled up add/remove programs and found something I never installed, to uninstall the program it directs you to a site that is no longer available. The site is "http://looking-for-cc/uninstall/HomeSearchAssistant". This site is actually owned by a Russian named Pavel Pertretsky, I have tried to contact him multiple times on how to uninstall this program because it basically screwed up my browser and I cannot minimize or shut programs using the "X" close and cannot set my Internet options to the homepage I want because it will automatically default to "about:blank".. Anybody else having these issues or know a trick to get rid of this..

I Know what you are talking about. I have had the same problem with my computer, but have yet to discover a way to get rid of it. I run AdAware and Spybot regularly.

Thanks

Justmytype and
Grendels Bacon~~~~
You need to get yourselves to some techie-self help forums, like some of the links in Banshee's first post. FAST. There ae people on those forums that help folks with what you guys have.
Also:
www.amazingtechs.com...
www.techsupportforums.com...

What you have is not what the topic of this thread is about Trust me, these little annoyances can be fixed.

Banshee~~
Thanks for a well-written and eye-opening report of this potential danger to the internet. The world should be made aware of this.
I tried to find some info on my own. Since I didn't know what to call it, exactly, I had little luck. KUDOS

Jamuhn~~
Thanks for that article. While most of it was waaaay over my head, I did get enough to see that if you are a victim of this, it might be wise to contact your ISP, maybe send them a link to that article.
Hope I don't have to do that ever

Hmmm I have tried to find more information about this and I always end up back at a forum on CNet, it seems this is where this "exploit" first appeared. Strange that for such a seemingly dangerous exploit, the only sources I've been able to find that give information about it are on public forums...

At the moment I'd have to say this "Med Network" is a hoax. DNS Poisoning is nothing new, but if this exploit was so serious, there would be reports on reputable news / tech sites, not just comments on public forums..

The poisoning could have taken place at the internet's root servers.

Good place to strat looking is
United States Computer Emergency Readiness Team (US-CERT)
www.us-cert.gov...
Search US-CERT
search.us-cert.gov...

Here's a dated article, but interesting...
www.theregister.co.uk...
www.networkmagazine.com...
www.theregister.co.uk...


And a link to a beta monitor site for TLD servers...
dnsmon.ripe.net...

Just found this web page, I will quote cause google is the only way to view the page as cahed, the real site now says access forbiden
Google DNS Search


Homework 5
DNS Hijacking
--------------------------------------------------------------------------------

Introduction

Services like DNS use IP addresses for authentication. When services with a request/reply schema are used attackers can use spoofed IP packets for faking a server's reply by racing against the legitimate server. DNS is used (among many other tasks) for translating DNS names into IP addresses. When users surf the Internet they enter the DNS name of the target site that they want to have displayed into the browser window. This DNS name is then resolved by sending a query (UDP message to port 53) to the DNS server, which answers with a DNS reply containing the IP address. The WWW-browser then makes a direct connection to the server with this IP address. In this homework your task is to hijack the query packets that are sent to the DNS server and to send faked DNS replies to the user's host in order to redirect the user to a different website.

Tasks

Your task is to write a program called dns-hijack that allows selective redirecting HTTP-requests. Read in a user specifieable configuration file that contains information stating which requests to redirect and where to. Then listen for DNS requests and hijack them. For this combine the results of Homework 2 and Homework 3 to make this work. Use the sniffing routines from Homework 2 to catch DNS request messages. Process the content of the DNS requests. In the case that the IP address of a host stated in the configuration file is found in a DNS query, reply to this query with a faked DNS reply which redirects the client to the IP-address stated in the configuration file. Use modified routines of Homework 3 to to send faked DNS replies. Your program should run until the signals SIGINT, SIGQUIT or SIGTERM are received. After one of these signals has been received, your program is expected to print out a summary of all hijacked DNS requests.

As the DNS message format can be very complex, we restrict the task to hijacking DNS queries that can be typically observed when a user enters a URL in a browser. So your program has to be able to interpret the header - and question parts and to create response messages accordingly.


Part 1 - 2 points
Your program handles the arguments correctly and reads in the configuration file

The synopsis for dns-hijack is

dns-hijack

If the configuration file does not exist or the name of the configuration file has been omitted, exit with code 1 and an appropriate error message.

The configuration file consists of space separated entries

\n

where specifies a DNS-name that should be searched for in the DNS requests. If this DNS-name is found in a DNS-request your program has to send back a faked DNS reply containing as answer with the source-ip address set to the destination-ip address of the original reply (spoofed from the DNS server). In the case a line starts with �#� this line has to be ignored.

When parsing errors occur during reading the configuration file then exit the program with the error code 1 and the error message 'Configuration file corrupt: line ' where is the number of the line


Part 2 - 5 points


Your program correctly sets up the network filter in promiscuous mode, processes all the request content and sends back the spoofed UDP packet containing the DNS reply. We emphasize here that the DNS-reply packets have to be correctly checksummed. Also remember that you have to set the identification field of the reply according to the identification field of the request.

To enable this in the lab, we extended the launch program which now can provide two different sockets.

Part 4 - 3 points


Your program correctly calculates an prints out the summary information. For each mapping entry (server) in the configuration file the different hosts that have been redirected should be printed out in the following way, whereas the ordering is NOT relevant.


where specifies the DNS-name from the configuration file
where specifies the IP address the client has been redirected to
where specifies the host that has sent a DNS-request to a DNS server containing
where specifies the number of times the client has requested the DNS server to lookup

Write out a line only for each client that has actually been redirected. For servers that have not been redirected, don't output anything.


Part 5 - 2 points

The program is written and structured according to the programming and documentation rules and behaves according to the given output specification (no additional output to and correct format of the results). Your Makefile has to create a binary called 'dns-hijack'.
Documentation

Extract the information you need for solving this assignment from the following resources:
DNS Documentation
RFC 1035 4. MESSAGES


Submission

The files holding your submission (which must be called dns-hijack.c and Makefile) have to be included into a single, gzip'ed tar archive named "h5-.tgz" which must be sent in time via email to [email protected] . Send this file as a MIME-encoded attachment, including all MIME headers. No other files (especially binaries, directories or object files) must appear in your submission. The subject of the e-mail has to be "submission hw5, , ", where login-name is your login name at the lab computers. If your Matrikelnummer is 9123456 and your lab-account islu123 then the subject line must read "submission hw5, islu123, 9123456" and the file must be called "h5-9123456.tgz".

Hint: The .tgz file can be created using the command "tar -czf h5-9123456.tgz dns-hijack.c Makefile" assuming that your Matrikelnummer is 9123456.