Malware hi-jack of DNS address

A DNS hi-jack is a clever way for a bad guy to control an infected computer.

Expanded description of DNS
Domain Name System (DNS) block diagram
Illustration: Lion Kimbro

I just finished disinfecting a Windows XP computer that had been a member of a bot-net for months. As I removed layers of malware, I discovered that the computer was making DNS requests to a pair of DNS servers that are located in the Ukraine(!), rather than to the DNS servers within the owner’s ISP (Internet Service Provider). Such a setup allowed the Ukraine administrator of the DNS servers to control what domains the infected computer may and may not visit. This infected computer could visit most websites but . . . it couldn’t download Windows updates, McAfee Antivirus updates, or visit any other anti-virus or anti-malware publishers’ sites.

I’m not sure exactly how this DNS hi-jack took place, but it probably started by the user unknowingly executing a virus “dropper” program. Somehow, one of the viruses on this computer had fooled McAfee Antivirus into thinking that everything was fine, when in fact it was months out of date and was infected from head to toe.

A DNS server is like a phone book: look up a person’s name, and find their phone number. With DNS, you look up an Internet domain (such as “russbellew.com”) and receive the domain’s IP address (such as 207.46.222.11).

This Windows PC’s DNS configuration has been hijacked.

On most home computers, the addresses of the DNS servers are supplied by the ISP (Internet Service Provider). On this infected PC, a malware provider had replaced these addresses with the addresses of DNS servers that are located in Ukraine. The addresses of the Ukraine DNS servers are 93.188.163.67 and 93.188.166.6. Here’s the whois data:

inetnum: 93.188.163.0 – 93.188.164.255

netname: PROMNET-NET
descr: Promnet Ltd.
country: UA
admin-c: OV527-RIPE
tech-c: OV527-RIPE
status: ASSIGNED PA
mnt-by: PROMNET-MNT
person: Ondrej Voloshin
address: Ekaterininskaya str., 41, 65000, Odessa, Ukraine
e-mail:
phone: +380504414402
nic-hdl: OV527-RIPE
mnt-by: PROMNET-MNT

 

The DNS addresses had been changed by a piece of malware that had changed these entries in the Windows registry:

  • hklm\system\controlset001\services\tcpip\parameters#nameserver
  • hklm\system\controlset002\services\tcpip\parameters#nameserver
  • hklm\system\controlset\services\tcpip\parameters#nameserver

The implications of a DNS hi-jack are profound: the hi-jacker could put up fake websites such as http://www.bankofamerica.com (residing on his own IP address) and redirect infected clients to this bogus website, where it could capture account numbers and passwords. Another ploy could be to put up a phony http://www.bankofamerica.com site and use iframes to embed the real http://www.bankofamerica.com within it. Then just capture packets between the infected computer and the genuine http://www.bankofamerica.com. And, of course, prevent the targeted user from visiting any sites that the hi-jacker wished to exclude.

If you missed it, read See how easy it is to launch your own infection. or just watch Symantec’s video that shows how easily a botnet master may control his/her botnet infected computers . . . across the globe.

Visit my website: http://russbellew.com

© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Advertisements

One thought on “Malware hi-jack of DNS address”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s