dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
24048
RandomRobert
join:2017-05-29
Berkeley, CA

3 edits

1 recommendation

RandomRobert

Member

[Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.

Click for full size
Click for full size
Click for full size
AFTERMATH
Update: SOLVED
I opened my AVAST antivirus and internet security, and did a “Scan network for threats” , it found a vulnerability for Wannacry Double pulsar ransomeware/ malware virus, and so I followed their instructions on how to remove it using an update patch.
(NOTE; I am not certain what if, any connection this has with my former problem)
Google this to find out the patch for your version of windows.
“March 2017 Security Only Quality Update for Windows”

So I went to the “settings” in the firewall section of avast, and saw a list of "network profiles", scrolled down, and among them, sure enough, was Utopia.net! I selected “Delete” from the right click drop down menu, not really knowing what would happen. And deleted utopia.net from the network profiles list.
Strangely, when I went back to "firewall" despite the fact that Avast said I was not connected to a network, I was able to go to several pages easily.

Finally I restarted my computer and then when I logged back on, POW, utopia.net was no longer listed as the network I was connected to. My network now says
“Currently connected to hsd1.ca.comcast.net”

I don’t know how I would do that in other security programs, but I’d guess that deleting the network profile “utopia.net” is the key, since it was for me. Thanks for all your help!

RR
___________________________________________________
Here is the past using avast I used to get rid of utopia.net.

NOTE: Changing the DNS server setting in "Adapter settings" did not work in getting rid of utopia.net for me at least.

Anon0844a
@verizon.net

1 recommendation

Anon0844a

Anon

[Connectivity] Re: The dreaded "utopia.net" DNS hijack.

Read this?

»DNS hijacking

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

1 edit

jbob to RandomRobert

Premium Member

to RandomRobert
Try this link on Comcast's own forum

»forums.xfinity.com/t5/Yo ··· /2888703

I see looks like you have a post on Bleeping Computer too. They're good.
RandomRobert
join:2017-05-29
Berkeley, CA

1 recommendation

RandomRobert

Member

There's amazingly little information available on what this even is.
Thanks,
RR

JJ Johnson
Premium Member
join:2001-08-25
Fort Collins, CO

JJ Johnson to RandomRobert

Premium Member

to RandomRobert
said by RandomRobert:

I looked up one day and my status went from "currently connected to Xfinity comcast" to "Currently connected to Utopia.net"

Where exactly do you see this? If your house is connected to the internet via Comcast, then you're connected to Comcast. That can't be hijacked or changed.
RandomRobert
join:2017-05-29
Berkeley, CA

2 recommendations

RandomRobert

Member

Click for full size
Click for full size
Connected via Comcast and through which DNS servers are two different things I think.
Here. it network center, and in my system tray.

JJ Johnson
Premium Member
join:2001-08-25
Fort Collins, CO

JJ Johnson

Premium Member

Is that a wireless connection?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

2 recommendations

NetFixer

Premium Member

said by JJ Johnson:

Is that a wireless connection?

This is about a router vulnerability that allows the router's DHCP/DNS services to be hijacked. It has nothing to do with WiFi vs Ethernet connections.

FYI, It is not limited to just Comcast gateways, but since Comcast is probably the largest user of cable gateways, their gateways are probably more likely to be infected just due to the numbers.

The typical infection method is the usual visiting of an infected or malicious web site, or clicking on a malicious link in an email. The real cure will have to come from cooperation between the router vendors and ISPs, and a commitment to actually do something about it (which so far is not evident).

Devious
Premium Member
join:2002-08-22
Seattle, WA

Devious to RandomRobert

Premium Member

to RandomRobert
»Re: [Connectivity] dns errors etc intermittent errors

JJ Johnson
Premium Member
join:2001-08-25
Fort Collins, CO

1 recommendation

JJ Johnson to NetFixer

Premium Member

to NetFixer
said by NetFixer:

This is about a router vulnerability that allows the router's DHCP/DNS services to be hijacked. It has nothing to do with WiFi vs Ethernet connections.

So it just changes the DNS servers assigned to clients through DHCP? If so, that's trivial to fix.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

1 recommendation

jbob

Premium Member

The question is whether it's the router affected by itself or a machine inside the router is infected thus reinfecting the router again and again. You would think a router reset would fix things but other posts(elsewhere) suggest it doesn't work.

I'm kinda surprised at the lack of topics with answers that show up on a Google search.

Jim721
join:2014-07-31
Belleville, MI

1 recommendation

Jim721

Member

Is it possible to Telnet or SSH in to the router and clear all NVram and memory ? As far as the computer i would do a full wipe out with a clean install no games here.

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

2 recommendations

tshirt to jbob

Premium Member

to jbob
said by jbob:

or a machine inside the router is infected thus reinfecting the router again and again.

And/or infecting one or more machines to reinfect router/first attached device upon/shortly after reboot.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR

1 recommendation

jbob to RandomRobert

Premium Member

to RandomRobert
Have you tried a hardware reset of the Gateway(TG1862G)? Do you have another modem you can connect and try?
RandomRobert
join:2017-05-29
Berkeley, CA

1 edit

1 recommendation

RandomRobert

Member

Re: The dreaded "utopia.net" DNS hijack.

Update: SOLVED
I opened my AVAST antivirus and internet security, and did a “Scan network for threats” , it found a vulnerability for Wannacry Double pulsar ransomeware/ malware virus, and so I followed their instructions on how to remove it using an update patch. NOTE; I am not certain what if, any connection this has with my former problem.
Google this to find out the patch for your version of windows.
“March 2017 Security Only Quality Update for Windows”

Then, I opened Avast again, went to “firewall” and noticed there too it said that my network was “Utopia.net”
So I went to the “settings” in the firewall section of avasat, and saw a list of network profiles, and among them, sure enough, was Utopia.net! I selected “Delete” from the right click drop down menu, not really knowing what would happen. And deleted utopia.net from the network profiles list.
Strangely, despite the fact that Avast said I was not connected to a network, I was able to go to several pages easily.

Finally I restarted my computer and then when I logged back on, POW, utopia.net was no longer listed as the network I was connected to. My network now says
“Currently connected to hsd1.ca.comcast.net”

I don’t know how I would do that in other security programs, but I’d guess that deleting the network profile “utopia.net” is the key, since it was for me. Thanks for all your help! THIS WAS DRIVING ME CRAZY!

NOTE: Advanced DNS settings Address changes did nothing for me, I run Windows 7 ultimate 64-Bit

RR
computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

[Connectivity] Re: The dreaded "utopia.net" DNS hijack.

Well I don't have that option in my Avast, I use Avast Free Version without FIrewall, Network scan shows NO problems on any devices, all machines have been scanned, phones, tablets with Avast mobile, i'm at a lost, everytime I restart this gateway (Cisco DPC3941T) it shows dns suffix utopia.net, 2 Machines are Windows 10 Pro, Fully patch, 1 Windows PC, fully patched

Willing to do a full Gateway reset soon as have time to

Devious
Premium Member
join:2002-08-22
Seattle, WA

3 recommendations

Devious

Premium Member

Check the network adapter TCP/Ipv4 DNS setting on each computer.

You may have utopia listed in there as DNS on one of your computers.

DNS should be blank and this pic shows default setting Win 10.


computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

That is all clear on all systems, on both Windows 10 Systems, Windows system I can reload up and check that one to

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

4 recommendations

NetFixer to jbob

Premium Member

to jbob
said by jbob:

The question is whether it's the router affected by itself or a machine inside the router is infected thus reinfecting the router again and again. You would think a router reset would fix things but other posts(elsewhere) suggest it doesn't work.

The infection agent is in a PC (or PCs) connected to the router. That agent then proceeds to make changes to the vulnerable router's DHCP and DNS services (it is the DHCP service that changes the network name of its client computers) with the object being to send user's DNS requests to utopia.net controlled DNS servers. Until the PC's are cleared of the infection (or at least blocked as some have done with firewalls and/or hosts file entries), and until the router vendors and ISPs get off their butts and fix the router vulnerability, this utopia.net boondoggle will continue.
computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

So far done in order on my systems here

Avast boot scan
Clean system install and drive wipe on Desktop 8 Core system
Full virus scan with WIndows Defender/Offline scan as well
Eset online scan
ADW Cleaner scan
junkware removal tool
Malwarebytes full scan on all of them, including every drive connected, external and everything

Complete Gateway reset
reprovision done from Comcast even

if there is anything I missed willing to do more
RandomRobert
join:2017-05-29
Berkeley, CA

1 recommendation

RandomRobert

Member

Computerman! can you go to firewall? once there can you see "setting?" (far right small print)
If so, click on it and choose "network profiles"
computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

I don't have Firewall in Avast Free, and I use Windows Firewall in Windows 10 here

Avast Free I have The Following shields installed, File shield, Web shield, mail shield, behavior shield, and wifi-inspector

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR

3 recommendations

jbob to RandomRobert

Premium Member

to RandomRobert

Re: [Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.

Can't you do a Registry search for utopia.net for location?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

1 recommendation

NetFixer to computerman2

Premium Member

to computerman2

Re: [Connectivity] Re: The dreaded "utopia.net" DNS hijack.

said by computerman2:

I don't have Firewall in Avast Free, and I use Windows Firewall in Windows 10 here

If you don't have a software firewall that can delete/protect network profiles, you might try the hosts file approach that was suggested in another forum post (sorry, I don't remember exactly where I saw the post that claimed a hosts file entry "fixed" the problem).

Make a 127.0.0.1 utopia.net entry in your existing hosts file (or create one if you don't currently have one). Substituting 0.0.0.0 for 127.0.0.1 may also work for you without the delay that 127.0.0.1 sometimes introduces (on the occasions that I have used a hosts file to block access to certain host names, I almost always use 0.0.0.0 even though most "experts" will say to always use 127.0.0.1). You should write protect the hosts file after making this entry. The hosts file "fix" is only a cover-up (and if you have multiple PCs and other devices, you may need to do the same thing for all devices) and you may still need to do a factory reset on your gateway again to clear the bogus changes made to it by the utopia.net infection.

I wish I could tell you what you need to do to remove it from infected PCs, but I have not personally encountered this particular malware (although I have seen similar things in the past), so I can't offer any first hand advice on that subject. One thing you might try doing is to search the Windows registry for "utopia.net", and that might give you a clue to where the infection is hiding. It is possible that just deleting any utopia.net references in the registry might "fix" the problem -- but don't delete anything if you are not sure what you are deleting. Searching the file system for files containing utopia.net mignt also be helpful in finding the source of the infection (make sure that you include system and hidden files in that search).
computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

Yeah i'll work on it more tomorrow, think for tonight about done looking thru things, already did host file and write protect on it, so hopefully that helps on all systems

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to jbob

Premium Member

to jbob

Re: [Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.

said by jbob:

Can't you do a Registry search for utopia.net for location?

Your faster nimbler fingers beat my slow stiff arthritic fingers to the punch.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

2 recommendations

DarkLogix to NetFixer

Premium Member

to NetFixer

Re: [Connectivity] Re: The dreaded "utopia.net" DNS hijack.

said by NetFixer:

Make a 127.0.0.1 utopia.net entry in your existing hosts file

Why not a ::1 entry instead? or just ::

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

1 recommendation

tshirt

Premium Member

said by DarkLogix:

Why not a ::1 entry instead? or just ::

Good Idea but add a comment line so, you don't delete it later
said by NetFixer:

One thing you might try doing is to search the Windows registry for "utopia.net",

You may not find Utopia net shown, even so simple low memory devices seem to be reseeding this, so maybe the infector file just redirects a WAN site which injects "utopia.net" and the redirect file on each vunerable machine on the LANside.
A bit more complex then the typical DNS hijack, very persistent, and maybe multiple reinfection modes.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

1 recommendation

DarkLogix

Premium Member

said by tshirt:

said by DarkLogix:

Why not a ::1 entry instead? or just ::

Good Idea but add a comment line so, you don't delete it later

Ya go IPv6 with your loopbacks.
computerman2
Premium Member
join:2002-04-20
Trenton, MI

1 recommendation

computerman2

Premium Member

Modem restarted this morning for Firmwire update, Comcast DPC3941T 3941T, I ran Avast boot scan last night, All hard disks--results Clean lol

did show utopia.net during the modems reload after firmwire update

DPC3941_2.6p1s1_prod_sey

Checked registry last night before I went upstairs and let virus scan check all the drives, only one cached entry found for utopia.net, deleted that, restarted, ran the virus scan over night

Very strange issue, I think I can safely say all the machines locally are clean, I ran scan on all of them 4 times