I’m seeing traffic about this, so I thought I’d write up what I found.
I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details. Besides, I may be a hardcore geek, but I do have a life and was going out. But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.
First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks. I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal. So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.
It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem. It was, apparently, a recurrence of a virus he had previously that we cleaned. He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”. The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required. Helpfully, it provided a button to press to receive the “upgrade”. Obviously, the “upgrade” was an infection. (You can see an example of the graphic here.) Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.
About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office. I checked the configuration and noticed that the DNS servers listed were wrong. In fact, they’d all been replaced with a single DNS server; 126.96.36.199 Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe. It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.
Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well. I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server! So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away. Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again. It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.
As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find. It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack. I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere. Possibly one of the edge routers at a trans-continental connection somewhere. From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong. It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.
The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe! So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also? I hate the bastards that do these things. I hate every last one of the little rat bastards!
UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem. Frankly, I wish I’d had known about those tools when I started my day! Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers. It was, in fact, *several* PCs that were infected with whatever it was. I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt. I noticed that the DHCP server listed in the config was NOT my actual DHCP server! So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers. I used Malware Bytes to scan the infected PCs and it seemed to clean them off. At least, for now. I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks! Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!