It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster

page: 2
0
<< 1    3 >>

log in

join
share:

posted on Dec, 15 2004 @ 10:20 AM
link   

Originally posted by LordGoofus
Hmmm I have tried to find more information about this and I always end up back at a forum on CNet, it seems this is where this "exploit" first appeared. Strange that for such a seemingly dangerous exploit, the only sources I've been able to find that give information about it are on public forums...

At the moment I'd have to say this "Med Network" is a hoax. DNS Poisoning is nothing new, but if this exploit was so serious, there would be reports on reputable news / tech sites, not just comments on public forums..


It is also possible that it is an exploit of small ISP's using windows DNS/DHCP servers. Or someone on the local network has malware that is spoofing DNS servers. (So, it's not the ISP or the desktop, but anyone on the network.).
If it was just a few small ISP's running unpatched DNS servers, then that would explain why it hasn't made main stream media as of yet.
Also, in the forums one person switched ISP's and never had the problem, so it seems to be ISP-based attack or exploit, and given the evidence: Not mainstream media, limited to a few public forums, with few individuals, switching ISP's made the problem disappear, I would suspect a local exploit of a (perhaps) small, unpatched ISP DNS servers (or DHCP).

Good work digging it up Banshee!


edit: quoted wrong post.


[edit on 15-12-2004 by NERaptor]




posted on Dec, 15 2004 @ 11:28 AM
link   

Originally posted by Notme
Just found this web page, I will quote cause google is the only way to view the page as cahed, the real site now says access forbiden

Google DNS Search


Homework 5
DNS Hijacking
--------------------------------------------------------------------------------

This is quite a significant find. This almost seems to be exactly what the current scenario is. Granted I haven't dove real deep into the issue yet, but this maybe the source of the hijack that is causing the problem. It almost seems as if some student took his homework beyond the assignment for a little "Extra Credit".

What kind of a teacher gives their students an assignment like this?



posted on Dec, 15 2004 @ 11:38 AM
link   
Fixes are irrelevant. It has become apparent that no matter how many of these "problems" you fix and patch and secure, another one will happen soon afterwards.

Why the hell not? Nothing ever happens to these "proprietors" anyways.

Spyware is the perfect example of that. All you have to do is click on a normal site and suddenly "Congratulations you've installed, ibis, GAIN, comet cursor, new.net etc".

Considering the fact that these programs have been proven without a doubt to damage users PCs, and the fact that they install themselves without consent, wouldn't that be like someone coming up to my car and changing my tires without my permission for a crappier brand? AKA Theft or at least Vandalism?

But no. They continue to do it because of inaction by our elderly legislators who wouldn't know what a computer was if it fell on their head.

This thread is talking about a different problem technically, but the similarities are there. It redirects users (forcibly) to a retail site.

The point of all of these things is to make money for a certain group of people at everyone else's expense without caring what gets damaged in the process.

Technological fixes for these things are irrelevant because virus-writers and that sort of person are always a step ahead. Playing catch-up never works. When this DNS cache problem gets fixed, they'll make another one. And on and on.

The only thing that will solve this is criminal punishment for these people who are 1) invading our privacy 2) destroying our property and 3) causing untold hours of frustration for MILLIONS of people around the world.



posted on Dec, 15 2004 @ 12:33 PM
link   
NERaptor has the explanation it sounds like. DNS Cache poisoning looks to be a likely culpret, but since it is pretty localized, it could not be a root DNS server. It must be and ISP's DNS server. Here is a quick test: If your machine exhibits the problem, change your DNS settings so that it points to a DNS server that your ISP does not host.

-P



posted on Dec, 15 2004 @ 01:12 PM
link   
I wonder if anyone has checked the hosts file on affected computers. Heck, I've got an old box sitting at home that I'd test it on if someone figures out the vector.



posted on Dec, 15 2004 @ 02:06 PM
link   

Originally posted by Whiskey Jack
I wonder if anyone has checked the hosts file on affected computers. Heck, I've got an old box sitting at home that I'd test it on if someone figures out the vector.

It isn't a hosts file issue. Flushing the DNS cache and switching DNS servers is a temporary fix, so it can't be an essentially static file like hosts.



posted on Dec, 15 2004 @ 04:52 PM
link   
What's the url of the offending ads/site? Just add that to your hosts file with local host IP and block it.

Reading up a bit, the problem is bad data being fed to local DNS services - not a local compromise. In that case, get alternate DNS addresses from your ISP and change them. Also, they should be notified immediately, so they can make the appropriate changes to their DNS. I've yet to see this problem, but I'd get to the bottom of it very quickly, if I did.

reviews.cnet.com...

One guy said switching ISP's solved it. There you go...it's their DNS that's screwed.

[edit on 15-12-2004 by Damned]



posted on Dec, 15 2004 @ 11:12 PM
link   
CERT has a few articles describing what they call both DNS pollution and DNS poisoning. It has been around since before 2001. Combining this with stealing of cookies must be more recent.

Microsoft DNS Server Cache Corruption



In the default configuration, Microsoft DNS server will accept bogus glue records from non-delegated servers. These bogus records will be added to the cache when a client attempts to resolve a particular hostname served by a malicious or incorrectly configured DNS server. The client can be coerced to request such a hostname as a result of an otherwise non-malicious piece of HTML email (such as spam) or in banner advertisements on websites, to give some examples.

Based on information contained in reports of this activity, there are sites actively engaged in this deceptive DNS resolution. These reports indicate that malicious DNS servers are providing bogus glue records for the generic top-level domain servers (gtld-servers.net) potentially resulting in erroneous results (e.g., failed resolution or redirection) for any DNS request


Other articles:
Cert DNS Vulnerability Microsoft
Note that this is not limited to Microsoft servers.
BIND Vulnerability Aug 2000
Search CERT for DNS vulnerability



posted on Dec, 18 2004 @ 02:05 PM
link   


NERaptor has the explanation it sounds like. DNS Cache poisoning looks to be a likely culpret, but since it is pretty localized, it could not be a root DNS server. It must be and ISP's DNS server. Here is a quick test: If your machine exhibits the problem, change your DNS settings so that it points to a DNS server that your ISP does not host.


Damn you beat me to it!
I always use alternate DNS Settings.



posted on Dec, 28 2004 @ 06:22 AM
link   

Originally posted by Banshee
[
I repeat....

this is NOT caused by software or viruses on someone's computer.
Those programs will not fix this problem.

This is a potential vulnerability with how the internet itself is built. A program to fix that does not exist.

In addition, ad-blocking software will not do anything about the image hijack involved with this. Any image, including avatars or boring old graphics, can be replaced with the Med Network ad.

[edit on 14-12-2004 by Banshee]


Um Banshee, Yes it is on your pc. It is an ActiveX control. Hopefully no one here automaticaly allows activex controls to be installed. ALWAYS prompt.

Actually Mcaffe Virus Scan and Fire wall pick this up as it trys to install on your pc. Also if you set your Internet settings to prompt for ActiveX controls windows will pick it up.

[2004/12/27 12:52:58 2112.7]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\John\LOCALS~1\Temp\ICD5.tmp\AdmilliServX.dll" to "C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\John\LOCALS~1\Temp\ICD5.tmp\AdmilliServX.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

I am sure we will be hearing alot about AdmilliServX.dll. Love stupid C++ dynamic libraries. F em.


Delete in Regedit this control [98264495-6376-443C-9340-2996038BD143](VaCtrl Class) and these files:

C:\WINDOWS\System32\acledit7.exe

C:\WINDOWS\System32\igmprn.exe

You also need to delete admilliServe under program files, the only way to do it is in safe mode.

I don't think this is med network. It seems like a site that advertises them and uses the hijack to produce traffic for itself.

Kinda like a java applet but Microsucks control. If I didnt delete the log from the attempted install I will post it.

This thing installs so much garbage that soon as I find it all I will post all of the bs you will need to remove in safe mode.



[edit on 12/28/2004 by just_a_pilot]



posted on Dec, 28 2004 @ 08:31 AM
link   
Here's the lastest enty at cnet,.com. It discusses the fact that this is a corrupt DNS server and some possible fixes (which I didn't quite follow, BTW):

I've had a chance to study some systems that were being corrupted by this problem. I have determined a number of known issues/sources and have a few speculative guesses as to how the corruption occurs.

First, the issue definitely corrupts DNS servers...

CNet forum



posted on Dec, 28 2004 @ 10:39 AM
link   
I find it amusing that the people in the cnet thread are posting in the Windows ME forum.
Especially "JavaIP", since he seems to know enough not to be one of those WinME lusers.



posted on Dec, 28 2004 @ 06:28 PM
link   
Well now. It looks as though the DNS resolver built into Windows is corrupted and the cache ON YOUR pc cannot flush. SvcHost.exe and dnscache resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

The goofy hack that wrote this has created quite a clean up problem. It seems as though when your pc sends out a request that you type in to the browser as www.ats.com it actually sends a request for www.nameyourplace.com and you never know it and blame the ISP.



posted on Dec, 30 2004 @ 10:56 AM
link   

Originally posted by just_a_pilot
The goofy hack that wrote this has created quite a clean up problem. It seems as though when your pc sends out a request that you type in to the browser as www.ats.com it actually sends a request for www.nameyourplace.com and you never know it and blame the ISP.


But your DNS cache comes from the DNS server, which belongs to your ISP. How do you think addresses are cross referenced to IP's? It's basically IP spoofing.

www.ats.com = 144.232.244.158
and
www.nameyourplace.com = 216.71.100.187

They're spoofing the IP so www.ats.com appears to be 216.71.100.187. You can't go around stealing IP's and/or domain names. That's basically what they've done. I'm sure that's a punishable offense. But, on the other hand, they need to secure their DNS servers.

DNS Spoofing

Once spoofed the victim's resolver will continue to use the false record it has in its cache, potentially misdirecting E-Mail, or any other internet service. This is a potential major security leak for credit card information, trade secrets, and other highly sensitive information.

Recent surveys indicate that 25-30% of servers on the Internet are spoofable.


[edit on 30-12-2004 by Damned]



posted on Dec, 30 2004 @ 03:24 PM
link   
Microsoft has rolled code to fix this problem. It is on your pc.



posted on Jan, 3 2005 @ 09:34 AM
link   
What's the Q#? They may have a fix, but that still doesn't eliminate the fact that it stems from the DNS. Is the fix for the DNS, or for the client?

If this is the patch, it doesn't sound like it's working. They're still talking about patching the DNS, not the clients.

reviews.cnet.com...

[edit on 3-1-2005 by Damned]



posted on Jan, 8 2005 @ 05:30 PM
link   
Hi guys..i think im having a similar problem. I have Norton Internet Security 2004 on my PC thats running Windows XP Pro SP2 and i have Norton Antivirus 2005 also. I ran a full system scan and it found 1 infection on my PC and that what AdmilliSevX.dll...Now, the antivirus couldnt delete it and i cant find it on my PC (even though it gives me the location). The other thing is my browser has stopped working, which i think is some sort of a DNS hijack because on the bottom of the browser window when i type lets say google.com, it shows its trying to contact google.com.net...it adds a .net to EVERYTHING i type...can someone guide me in the right direction to fix this...thanks !!



posted on Jan, 8 2005 @ 05:45 PM
link   
Something strange on one of my computers as well...I have a cable modem and somehow i am getting a pop up window advertising medical crap or gamecube or travel...I have run spybot, hijack this, adaware, webspy, cleanup, I flushed the DNS, i ran aol's spy ware, mcafee antivirus....NOTHING will get rid of this. it does not appear when I go to specific websites it just pops up on it's own. when i turn my comp to hibernate at night, there is a pop up in the morning. It only does it 1 at a time. There is never more than one of this type of pop up at a time and it is not frequent. Once every 2 or 3 hours I guess. I switched my default browser to firefox and it still showed up using an IE browser....I have't a clue what to do now.

Any ideas?



posted on Jan, 10 2005 @ 07:09 PM
link   
Garon if you haven't tried it already- go to Microsoft for their
anti-spyware, try the free ad-aware se, and spybot.

Here's the link for Microsoft:

www.microsoft.com...

[edit on 10-1-2005 by freudwasright]



posted on Jan, 12 2005 @ 10:29 AM
link   
I'll give that a shot. Thanks!



new topics

top topics



 
0
<< 1    3 >>

log in

join