Diary of a Network Geek

The trials and tribulations of a Certified Novell Engineer who's been stranded in Houston, Texas.

5/29/2011

DNS Redirect Attack

Filed under: Geek Work,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Horse which is around lunchtime or 12:34 pm for you boring, normal people.
The moon is Waning Crescent

I’m seeing traffic about this, so I thought I’d write up what I found.

I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details.  Besides, I may be a hardcore geek, but I do have a life and was going out.  But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.

First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks.  I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal.  So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.

It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem.  It was, apparently, a recurrence of a virus he had previously that we cleaned.  He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”.  The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required.  Helpfully, it provided a button to press to receive the “upgrade”.  Obviously, the “upgrade” was an infection.  (You can see an example of the graphic here.)  Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.

About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office.  I checked the configuration and noticed that the DNS servers listed were wrong.  In fact, they’d all been replaced with a single DNS server; 188.229.88.7  Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe.  It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.

Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well.  I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server!  So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away.  Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again.  It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.

As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find.  It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack.  I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere.  Possibly one of the edge routers at a trans-continental connection somewhere.  From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong.  It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.

The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe!  So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also?  I hate the bastards that do these things.  I hate every last one of the little rat bastards!

UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem.  Frankly, I wish I’d had known about those tools when I started my day!  Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers.  It was, in fact, *several* PCs that were infected with whatever it was.  I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt.  I noticed that the DHCP server listed in the config was NOT my actual DHCP server!  So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers.  I used Malware Bytes to scan the infected PCs and it seemed to clean them off.  At least, for now.  I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks!  Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!

5/27/2011

What to Tweet?

Filed under: Criticism, Marginalia, and Notes,Fun,Red Herrings — Posted by the Network Geek during the Hour of the Hare which is terribly early in the morning or 6:41 am for you boring, normal people.
The moon is Waning Crescent

Are you on Twitter?

Most of you who read this blog probably get here via Facebook or Twitter these days.  Yes, I am one of those attention whores that has their Twitter setup to post status updates to Facebook when we tweet.  And, I’ve taken that a step further by setting my blog to tweet when I have released a new post.
But, sometimes, I just tweet regular, random stuff, just like every other attention whore on Twitter!  I may not tweet photos of what I’ve eaten for breakfast, but, occasionally, I tweet something that’s intended to be funny or insightful.  So, in any case, I know what it’s like to try and keep those tweets fresh and interesting.  And, I know, it’s not easy!  So, you’ll be relieved to know that there IS help!  Help in the form of the website “Yes, that can be my next tweet!

The web-app will look at your Twitter feed and use programattic magic to analyze patterns to your tweets and mash them together to suggest similar tweets.  Then, of course, you can send them right to your hordes of faithful Twitter followers who are just waiting for your next brilliant tweet about how the stupid traffic made your yummy fast-food breakfast cold!  Or whatever.  No judgement.  (Well, maybe a little.)

5/26/2011

Mac Malware News Update

Filed under: Apple,Geek Work,MicroSoft,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Rooster which is in the early evening or 6:26 pm for you boring, normal people.
The moon is Waning Crescent

Good news!

First, there are things you can do to protect yourself from this new Mac malware:
Start by disabling the automatic opening of downloaded files.  The world has changed for you Mac users and you simply can’t trust just any download any more.  Welcome to the world that Windows users have lived in for years and years.
Also, don’t let things install on your machine unless you’ve gone out looking for them!  Again, don’t trust anything that looks like an automatic update or a “free” program that wants to install automatically, especially if you haven’t been searching for any thing!
Seriously, you can’t trust people on the Internet.  I know this may come as a shock to the Hippie, “free-love” sort of people Mac users think themselves to generally be, but, yeah, not everyone on the Internet has your best interests at heart.  Well, except me.  You can trust me.  Honest.

Secondly, in a “few days” Apple will allegedly put out an update to make you safe again.
At least, that’s what they’re saying.  No definite deadline on that, though, so be careful and make sure to check your updates regularly!  Staying up to date on patches is one of the better ways to help prevent an infection.  Also, if you haven’t already, please, consider getting an anti-virus program for your Mac.  OS X is a growing target for hackers as the installed user-base grows, so, sooner or later, you’ll see more of these little nasties coming your way.  Your platform’s growing popularity will make it a growing target!  So, before it’s too late and you’re asking your friendly, neighborhood network geek for help in cleaning up the mess, install an anti-virus to prevent the mess in the first place.  The computer you save may be your own!

5/20/2011

Star Wars Dioramas

Filed under: Art,Fun,Movies — Posted by the Network Geek during the Hour of the Tiger which is terribly early in the morning or 5:50 am for you boring, normal people.
The moon is Waning Gibbous

If  you read my blog, you love Star Wars.

Well, if you don’t *love * it, you at least know it and appreciate it on its technical merits.
But, you should love it.
And, it’s Friday, so you know I’m going to link to something pretty cool, right?
So, yeah, go look at these insanely detailed Star Wars dioramas at Kotaku.

No, seriously, it’s been a long week and that’s all I’ve got.
Also?  It’s Friday and you have nothing better to do anyway, so go look.
Seriously.

5/19/2011

Mac Malware

Filed under: Apple,Geek Work,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Rooster which is in the early evening or 7:03 pm for you boring, normal people.
The moon is Waning Gibbous

I told you Macs weren’t safe!

Does anyone listen to me?  No.  Well, hardly ever.
I’m sure you’ve seen the news by now that there are growing numbers of Mac malware attacks.  In fact, Apple Care, the official Apple customer service division, has reported a staggering jump in the number of malware related calls they received in just the past several weeks.  Apparently, according to the interview, it’s gotten to be quite a large problem in just that short amount of time.  They estimate that, now, up to 50% of all calls they get are related in some way to a malware attack on an Apple product.  The indication from the article is that everything is focused on Mac OS X machines, but, with larger market share comes a bigger prize for hackers, so don’t be surprised if iPhones and iPads and even iPods are attacked next!
Of course, what makes matters worse is that, allegedly, Apple Care representatives are being told not to help with malware attacks!  So, all that safety you thought you were buying with Mac?  Apparently, not the best investment.  Of course, security through obscurity never is.

So far, the threat seems to be confined to a single, aggressive bit of malware called MacDefender.  Go to the link and you’ll see a screenshot of what it looks like when it tries to install.  It looks just like a standard Mac program, right from Apple.  This is the same tactic that Windows users have been facing for years.  There’s nothing new here, outside of a new installed base of users who have never had to deal with malware before.  Mac users must look like sheep ready for fleecing to these crooks.  So, if you know Mac users, warn them and spread the word.

For those of you lucky enough to have escaped harm so far, buy and install an antivirus product and keep it up to date.
For those of you who haven’t been lucky, here’s a link to a MacDefender Malware Removal Guide. (Thanks, @joefarace!)

Incidentally, I’ve been talking about this for years.  I knew it would happen eventually, but, hey, who am I?  I mean, besides a front-line grunt that cleans up everyone’s machine when they get infected with digital herpes.  Not being a “pundit” or “respected industry figure” just means that no one takes you seriously, not that we don’t know what we’re talking about.  Because, believe me, I’m not the only network geek in the trenches who saw this coming.  We ALL did, but no one listens.

Like I wrote earlier, get the word out and show Mac users what they might expect before they get hit.
The day you save may be your own!

5/13/2011

Cthulhu Sex-Ed

Filed under: Art,Fun,Life, the Universe, and Everything,Movies,Red Herrings — Posted by the Network Geek during the Hour of the Tiger which is terribly early in the morning or 5:29 am for you boring, normal people.
The moon is Waxing Gibbous

I can think of nothing more appropriate for a Friday the Thirteenth post.

Are you a fan of H.P. Lovecraft?
When I was in Junior High, I found H.P. Lovecraft and read him all the way through High School and even college.  But, because I found him when most people are getting sex ed for the first time, when our bodies are going through enormous, almost supernatural changes, I found this short film, via Boing Boing, called “Late Bloomer” quite funny.  Be warned, it may not be entirely safe for work, depending on your workplace and their standards, but it’s worth watching!

So, happy Friday the 13th!  Enjoy the video and have a very lucky day!

5/6/2011

Zombie Proof House

Filed under: Art,Fun,Red Herrings — Posted by the Network Geek during the Hour of the Tiger which is terribly early in the morning or 4:27 am for you boring, normal people.
The moon is Waxing Crescent

Now, this is what I call a “safe house”!

I know, I know, I’m seriously way too obsessed with surviving the zombie apocalypse, but, hey, everyone needs a hobby, right?
Anyway, a couple weeks ago, a Facebook friend posted a link to an entry on All That Is Interesting titled The First Zombie-Proof House.  The photos are , well, impressive to say the least.  A sleek, modern home with the ultimate in austere exterior, which also seals into a virtual fortress.  A metal security shutter that rolls down over a covered patio area and actual concrete “shutters” that swing shut over recessed windows, not to mention a second-story draw bridge connecting to a detached pool facility, all ad up to a pretty nice place to wait out the End Times!

And, keep in mind, unlike other survival homes I’ve shared here, this is NOT a theoretical building!
This “house” has been built by KWK Promes and is outside of Warsaw, Poland.  I found even more photographs and details of the construction and features at a site called HomeDSGN.  While they don’t specify the owner, they mention their need to have a feeling of security while also maintaining high-standard design features.  The photos really focus on the exterior of the home and the grounds, but you can see into the building itself in several photos and the interior looks like it has the same attention to detail and quality as the outside.

So, now, you have a new standard for your zombie-survival-home desires!
Happy Friday!

5/3/2011

Mac OS X Not “Safe”

Filed under: Apple,Geek Work,MicroSoft,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Rooster which is in the early evening or 6:02 pm for you boring, normal people.
The moon is Waxing Crescent

The myth of an operating system that is somehow safe from virii or malware is being busted.

No, seriously, I know all you Mac users are always bragging about how much more safe your operating system is because there isn’t any malware written to attack it.  I hear it all the time.  Well, guess what kids?  You’re wrong.  There is at least one OS X Crimeware Kit, in the wild.  And, really, that’s just the one that we’ve seen lately.  If researchers have found one, there are probably others.  And, I know that there are other exploits in the wild, too.  Not as many, sure, but they are out there.  And, thanks to you all bragging about how you’re safe and being all fan-boy about your OS and telling all your friends how great it is, you’re making OS X a more and more attractive target all the time.
Remember, the reason that Windows has so many exploits written for it is because it’s installed on so many computers.  It’s marketing, really.  Where’s the biggest potential market for software?  Right, on the biggest installed base of whatever the popular operating system is.  Now, if you were a virus writer, what would you write a virus to run on?  Same thing.  So, as markets expand, so will the exploits.

Brace yourself.  The world is changing.


Powered by WordPress