A DNS hi-jack is a clever way for a bad guy to control an infected computer.
I just finished disinfecting a Windows XP computer that had been a member of a bot-net for months. As I removed layers of malware, I discovered that the computer was making DNS requests to a pair of DNS servers that are located in the Ukraine(!), rather than to the DNS servers within the owner’s ISP (Internet Service Provider). Such a setup allowed the Ukraine administrator of the DNS servers to control what domains the infected computer may and may not visit. This infected computer could visit most websites but . . . it couldn’t download Windows updates, McAfee Antivirus updates, or visit any other anti-virus or anti-malware publishers’ sites.
I’m not sure exactly how this DNS hi-jack took place, but it probably started by the user unknowingly executing a virus “dropper” program. Somehow, one of the viruses on this computer had fooled McAfee Antivirus into thinking that everything was fine, when in fact it was months out of date and was infected from head to toe.
A DNS server is like a phone book: look up a person’s name, and find their phone number. With DNS, you look up an Internet domain (such as “russbellew.com”) and receive the domain’s IP address (such as 184.108.40.206).
This Windows PC’s DNS configuration has been hijacked.
On most home computers, the addresses of the DNS servers are supplied by the ISP (Internet Service Provider). On this infected PC, a malware provider had replaced these addresses with the addresses of DNS servers that are located in Ukraine. The addresses of the Ukraine DNS servers are 220.127.116.11 and 18.104.22.168. Here’s the whois data:
inetnum: 22.214.171.124 – 126.96.36.199
descr: Promnet Ltd.
status: ASSIGNED PA
person: Ondrej Voloshin
address: Ekaterininskaya str., 41, 65000, Odessa, Ukraine
The DNS addresses had been changed by a piece of malware that had changed these entries in the Windows registry:
The implications of a DNS hi-jack are profound: the hi-jacker could put up fake websites such as http://www.bankofamerica.com (residing on his own IP address) and redirect infected clients to this bogus website, where it could capture account numbers and passwords. Another ploy could be to put up a phony http://www.bankofamerica.com site and use iframes to embed the real http://www.bankofamerica.com within it. Then just capture packets between the infected computer and the genuine http://www.bankofamerica.com. And, of course, prevent the targeted user from visiting any sites that the hi-jacker wished to exclude.
If you missed it, read See how easy it is to launch your own infection. or just watch Symantec’s video that shows how easily a botnet master may control his/her botnet infected computers . . . across the globe.
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695