Diary of a Network Geek

I’m seeing traffic about this, so I thought I’d write up what I found.

I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details.  Besides, I may be a hardcore geek, but I do have a life and was going out.  But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.

First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks.  I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal.  So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.

It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem.  It was, apparently, a recurrence of a virus he had previously that we cleaned.  He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”.  The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required.  Helpfully, it provided a button to press to receive the “upgrade”.  Obviously, the “upgrade” was an infection.  (You can see an example of the graphic here.)  Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.

About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office.  I checked the configuration and noticed that the DNS servers listed were wrong.  In fact, they’d all been replaced with a single DNS server; 188.229.88.7  Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe.  It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.

Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well.  I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server!  So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away.  Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again.  It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.

As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find.  It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack.  I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere.  Possibly one of the edge routers at a trans-continental connection somewhere.  From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong.  It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.

The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe!  So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also?  I hate the bastards that do these things.  I hate every last one of the little rat bastards!

UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem.  Frankly, I wish I’d had known about those tools when I started my day!  Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers.  It was, in fact, *several* PCs that were infected with whatever it was.  I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt.  I noticed that the DHCP server listed in the config was NOT my actual DHCP server!  So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers.  I used Malware Bytes to scan the infected PCs and it seemed to clean them off.  At least, for now.  I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks!  Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!

So, I’ve seen a couple of movies in the past several weeks that I have been too busy to review.  Here’s one of those.

I’m doing this in reverse order, by the way, and reviewing the most recent movie first.  On Christmas Day, I saw Sherlock Holmes with a friend, like we have for the past three years now.  In fact, when we started that shortly after I got out of cancer treatment, that was the start of my massive spree of hitting in the theaters.  In any case, I’ve seen a lot of movies in the past two years, but I try not to get jaded and all snooty about it like the professional critics do.  I tried to set aside any preconceived notions about what this film should be and just tried to be open to the experience.

It was, um, interesting.
I don’t really think of Sherlock Holmes as an action hero, but, that’s sure what Robert Downey Jr. and Guy Ritchie made him.  And, you know what?  It worked.  Yeah, it really did.  Now, I’m sure purists will get bent out of shape with Holmes boxing, or doing savate, or whatever it was supposed to be, but, really, it doesn’t seem like such a stretch to me.

But, I’m getting ahead of myself.
The plot is typical Victorian era adventure stuff.  The opening scene starts with an attempted occult murder, a sacrifice, that is thwarted by Holmes, played by Downey, and his faithful companion, Dr. Watson, played by Jude Law.  The erstwhile occultist, and thwarted murderer, is Lord Blackwood, a nobleman and, quite obviously, the villain.  And, yeah, if his name didn’t give it away, his theme music did.  A little heavy handed, but, still all in the spirit of a good adventure.
Then, we quickly fast forward through Blackwood’s trial and right to the day before his execution.  Watson is set to attend the execution as both one of his accusers and as a physician, to certify his death.  However, it’s Holmes that Blackwood calls for before his execution so that he may deliver a prediction about his return from the grave and other, more dire, predictions about deaths that Holmes won’t be able to prevent.

Naturally, these things come to pass, in spite of Holmes and Watson’s best efforts to stop them.  We also discover the person Holmes always referred to as “The Woman”, in the stories by Sir Arthur Conan Doyle, Ms. Irene Adler.  In the movie, however, she’s a much more active and adventuresome woman, at least in the athletic sense, and played by Rachel McAdams.  And, she’s quite troublesome to the pair of friends.  At first, she seems to be working against the two men and, possibly, is in league with Blackwood.  But, it’s not long before we discover that she’s actually working for someone else entirely and is only partially at cross-purposes to Holmes and Watson.

There is also at least one subplot here; Watson’s engagement.
He takes his fiance to meet Holmes for dinner, though he’s obviously been avoiding it.  It seems he’s not all that keen on losing his best, and oldest, friend to marriage.  The meeting is a disaster as Holmes only partially deduces her story and essentially accuses her of being a gold-digger out to marry a wealthy doctor.  In fact, her previous fiance died and she is quite in love with Watson, who already was aware of all the things which Holmes correctly detected.  And this will prove a key relationship as she is quite helpful to Watson several times during the ensuing adventure.

The prophecies that Blackwood made all start coming true, of course, much to Holmes and Watson’s growing discomfort.  And, naturally, Holmes obsession with trying to prevent these events, as well as trying to track down Blackwood, leads the two men on a twisting journey through a slightly anachronistic Victorian, really almost Edwardian, London.  Along the way, they run afoul of Ms. Adler and her mysterious employer until she and Holmes eventually agree to work together, though, she never really stops working for the other man.
Blackwood’s predictions, incidentally, all seem to be centered around some sort of occult plot to take over the world, naturally.  Blackwood is trying to gain control over a quasi-Masonic occult secret society with roots in England, but branches as far as America.  As is usual in the Sherlock Holmes stories, he uses cutting edge science to make what seems to be magical events occur under his control.  The superstitious members of the society assume that he’s managed to achieve a higher level of occult competency and, therefore, out of fear, or greed, follow him.  But, of course, Sherlock Holmes and John Watson are there to fight for justice, etc., etc.

Now, I won’t ruin the movie by revealing more of the plot and I certainly won’t tell you how it ends, except to say that they do leave things open for a sequel.
Okay, let me make it clear here, I liked this movie, even though it does present a somewhat non-traditional Holmes.  I didn’t mind the boxing or savate or whatever it was Holmes was doing.  It made for fantastic action sequences.  I didn’t even mind that Downey couldn’t seem to maintain a consistent English accent.  Honestly, the action was so good and the rest of the acting was so good that the minor slip of accent was barely noticeable.
I was somewhat less thrilled about the heavy-handed occult references and the entire secret society subplot.  Maybe it has to do with the fact that I am a Freemason, so I see the attempts to mimic the Fraternity in these occult societies and, frankly, I know just how wrong they are.  Also, frankly, the older I get the more hokey I find the average supernatural stories in the movies and such.  Maybe it’s just that I’m getting more spiritual and therefore less superstitious, but it just seems less and less believable.
And, the one anachronism that was just too huge to ignore was a reference to radio waves.  At the time the story takes place, if “radio waves” had even been discovered, which I’m almost certain they had not been, they certainly wouldn’t have been called radio waves.  If anything, they might have been called Hertzian waves.  But, Nikola Tesla, the first patent holder of a true, working radio device, had either not been born yet, or was less than ten years old, depending on precisely when the story in the movie was to have taken place.  But, honestly, that was a relatively small thing and didn’t get in the way of my general enjoyment of the film at all.

I know this film will be eclipsed by Avatar, but I really enjoyed it and I whole-heartedly recommend it to anyone who likes action movies, or even Sherlock Holmes.  It was thoroughly enjoyable and well worth seeing.
I think I may even look forward to seeing a sequel!

So, today, my Friday Fun Links have a theme.

I’m not sure if it was the cleaning this week or what, but I’ve been feeling very, well, um, “domestic”.  So, my fun links this week pretty much all have to do with things around the house, or housing itself.
Okay, so let’s start from the outside and work our way in.  First, I have a link to some interesting plans for an 11 foot by 7 foot flat in London.  Apparently inspired by a janitor’s closet with a bathroom that sold for £170,000 in London’s upmarket Chelsea, the plan is really quite ingeneous.
Now, let’s talk furnishings…  If you’ve just spent $335,000 on a large broom closet, you probably don’t have much left over for furnature, so it’ll be IKEA for you.  No worries, though, thanks to the IKEA Hacker blog.  Yes, the stuff on that blog all started life as humble IKEA flatpack that got modified into something wonderful.  I especially like the breakfast nook for two.
But, you’ll need light for this tiny hovel, right?  Well, thanks to Gizmodo, you can light your flat with the coolest, freakiest science-fiction lamps ever.  Also, you can use the coolest, hippest, most radically arty light switches ever to turn the lights on.  I thought the pool ball switch was cool for the mini-flat, since it was described as being about the size of a billards table.
But, wait!  There’s more!  Since this flat would be so totally strapped for space, there’d be no room for a rack of cookbooks in the kitchen, er, make that, by the tiny hotplate and microwave.  So, instead, use the coo.boo Digital Cookbook that’s the size and shape of a spatula!
And, finally, in a barely related story, if you can squeeze into the fridge, get out some Ben and Jerry’s Steven Colbert’s Americone Dream ice cream.  No, I’m not making that up, but, also no, it’s not quite available yet.  Yet.

So, there you have it, a geek getting domestic and working on too little sleep.  Enjoy your links and your Friday!
Oh, and don’t forget to vote in the poll!!

Last year, on this day, Warren Zevon died.

Warren Zevon was one of the most influental musicians of our time. The sad thing is, there are so many people who don’t even know it. He wrote an amazing number of songs for other people to record. So many, that I don’t know where I’d start. Of course, it was his own work that I loved the best. Nothing beats WZ singing “Piano Fighter” or “Seminole Bingo”. I know for a time, I lived, or wanted to live, “Mr. Bad Example” for real. Unfortunately, he’s known best for “Werewolves of London”. Don’t get me wrong, it’s a great song, but it’s just so little of what made WZ great. I mean, what can you say about a guy who’s personal physician was Hunter Thompson! And had guys like Dave Barry coming to see him while he was dealing with the pain of his cancer. He was just a miracle of a man.
We miss you, Mr. Zevon, but thanks for the great music and memories you left behind.

And, it’s good news, too!

I’ve been called back for a second interview!! Yea!
So, obviously, the interview last week went well. And, this could be a really good job. They’re a world-wide organization with offices in some really interesting places, like Singapore, London, Africa, and Equitorial Guinea. And, best of all, they’re building a big network all based on Novell products. Oh, and they’re rolling out a PeopleSoft solution on Linux. Score! So, I would get to use all my favorite skills, learn new things, travel to exotic locales, and the main office is less than 10 minutes from my house, even with bad traffic.
Well, anyway, I found this out yesterday, but I didn’t want to detract from my “fun Friday” posting, so I waited until today to post the update.
I’ll keep you posted!