dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
946
share rss forum feed


BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000

Somethings changing DNS values

Something to watch for

http://article.gmane.org/gmane.comp.security.ntbugtraq/974

We've spotted a few of these hosts already and are finding more. The two IP's used as replacements are.

216.127.92.38 and 69.51.146.14

The malware makes the following registry changes as well.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nter

faces\windows]

"r0x"="your s0x"

"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I
nter

faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]

"T2"=dword:3e057410

"LeaseTerminatesTime"=dword:3e067130

"LeaseObtainedTime"=dword:3dfe8830

"T1"=dword:3e027cb0

"NameServer"="69.57.146.14"

As Russ said in the post I linked. I'll post more when I know more. Watch your flows for connections to these hosts (udp 53)

Cheers,
-BeesT
--
2b2b2b415448300d


borv
Onemhz On Aim

join:2000-10-06
Astoria, NY
yes - i jsut received an alert on this from one of the vendors my employer works with. Interesting... Lets see if it spreads.

Enyo0

join:2002-11-06
UK
reply to BeesTea
»www.ntfs.org/forum/showthread.ph···id=39203

»www.security-forums.com/forum/vi···?p=58506

Took me by surprise. I guess thats what you get when you sleep half the day away


Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
St. Andrews
Reviews:
·Pickwick Cablevi..
·DIRECTV
reply to BeesTea
said by BeesTea:
Something to watch for
Makes me dizzy
--
"Well, butter my butt and call me a biscuit."


catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
reply to BeesTea
Delude, an HTA exploit.

»www.europe.f-secure.com/v-descs/delude.shtml

»ntbugtraq.ntadvice.com/default.a···=&P=1048
--
"Parched, dry and thirsty...Knee deep in the river of life."


borv
Onemhz On Aim

join:2000-10-06
Astoria, NY
reply to BeesTea
hta sploit - which reminds me
MS03-032 didnt quite "work" fully, M$ was supposed to re-release it so that it covered more vulnerabilities. Does the current MS03-032 cover HTA vulnerabilities?


catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
said by borv:
hta sploit - which reminds me
MS03-032 didnt quite "work" fully, M$ was supposed to re-release it so that it covered more vulnerabilities. Does the current MS03-032 cover HTA vulnerabilities?
Not enough to prevent this.
»vil.nai.com/vil/content/v_100719.htm
--
"Parched, dry and thirsty...Knee deep in the river of life."


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to BeesTea
A few weeks ago, there was an article over at Spyware Info
linking to a security site (www.secunia.com) that tested
for this exploit. The article said that the hole was
being actively exploited by some spyware and hijackers.
The test is at this page: »www.secunia.com/MS03-032/
Secunia recommended turning off ActiveX or using a browser
that was unaffected by the exploit, such as Mozilla.
I think I've found a workable solution where I don't have
to stop using IE or turn off ActiveX, and that is to
permanently block Internet access to or from MSHTA.exe
using Zone Alarm. Is this going to be sufficient, or
should I download and install HTAStop as an additional
security measure?
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.


catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
This is exactly what Kevin and Nancy have developed HTAstop for.
Easy off/on if you need it. More:
»www.nsclean.com/htastop.html
--
"Parched, dry and thirsty...Knee deep in the river of life."

powercomp0

join:2003-10-02
Hamilton, ON

1 recommendation

reply to BeesTea
The best and most securest way to prevent the is to change the ACL’s on [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to everyone – read
Administrator – read, modify

And stop logging in as administrator.

I know people like to blame Microsoft for all the hole’s in it operating system, but as a security expert witch is an MCSE, CNA, CUSA, LPI, CCNA, and CISSP certified I have a lot of work with all operating systems from small network’s to large enterprise 1000+ machine infrastructures, and I’m telling you all this know. Do not believe people when they try to tell you that UNIX, and Linux is more secure, because it’s not. Microsoft has %93 of the market and Apple has %3 the last %4 belong to Linux and UNIX. Now Microsoft by default has configured the OS to be in a Domain and to get all it’s GPO’s and Config’s from the domain controllers. If you are in a domain that’s setup right and you’re not running as enterprise administrator you will never had a problem.

Let’s talk about UNIX, Linux for a moment they both force you not to run as ROOT. And if you know UNIX you know what a pain it is to run under a user but nothing can be modified, that’s why they say UNIX is more secure, but wait same with Microsoft everyone try this log in as a user and start changing this and install some apps…… it’s not going to happen, so if you can’t install apps the how are worm and viruses going to run they can’t.

But I know what you’re all saying WHAT ABOUT THE RPC VALNERABILITY because that was just sloppy coding, but you all have to realize that the code was carried on from NT 4.0 which was written back in 1996 I think and back then security wasn’t there big focus and another thing if Microsoft made there OS perfect the industry would fall and fall fast


BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000
No one mentioned anything about any other OS. Go sell your religion somewhere else. This was a technical thread.

-BeesT
--
2b2b2b415448300d


The point

@cgocable.net
Was his point (powercomp) that an XP user running under a "limited" account would not be vunerable?

If this was his point, can anyone confirm this?


PeeWee
Premium
join:2001-10-21
Madera, CA
reply to BeesTea
said by BeesTea:
No one mentioned anything about any other OS. Go sell your religion somewhere else. This was a technical thread.

-BeesT

His point was well made and his additional comment on Unix was on the point also. No one else made the comment that Unix was better only as a matter of opportunity. Someone would have eventually, as always. He might not see it later and the remark would be left uncontested.
You see, I feel that the claims made by Unix users as offensive as you may find his.
--
Nemo me impune lacessit. [No one provokes me with impunity] -- Motto of the Crown of Scotland


PeeWee
Premium
join:2001-10-21
Madera, CA
reply to catseyenu
said by catseyenu:
This is exactly what Kevin and Nancy have developed HTAstop for.
Easy off/on if you need it. More:
»www.nsclean.com/htastop.html

I've looked at the site, it says it's for everything else, but does not mention XP Pro. Will it work on XP?
--
Nemo me impune lacessit. [No one provokes me with impunity] -- Motto of the Crown of Scotland


BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000

reply to PeeWee
said by PeeWee:

You see, I feel that the claims made by Unix users as offensive as you may find his.

They were'nt offensive, just completely offtopic and irrelivent. To argue that it is on-topic is silly. Should every thread become a commercial just because someone *may* say something? That's ridiculous at best.

-BeesT
--
2b2b2b415448300d

[text was edited by author 2003-10-02 14:36:48]


PeeWee
Premium
join:2001-10-21
Madera, CA
reply to BeesTea
I don't want to crap this thread. What he gave was good information that almost no windows user would complain about. Linux and Unix users make similar claims so often that it would be automatic to wonder if this was a solution. Same kind of comment was, and is being made about other supposed solutions. Incontrovertible, related facts are not off topic. If you're talking about a windows problem, then how can the point about a different OS not being the solution be off topic?
I will not discuss this further here you can IM me.
--
Nemo me impune lacessit. [No one provokes me with impunity] -- Motto of the Crown of Scotland


catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
reply to PeeWee
Okay, I've some backpedaling to do.
Heard back from the developer of HTAstop.
HTAstop does not stop this one though it does stop others.
quote:
... not THAT particular one since it's not HTA that's behind *THAT* one. However, there's literally hundreds of HTA exploits being played and
it does help there. For THIS one though, the ONLY solution is for Microsoft to fix their bugs. So far, they won't."
»www.techworld.com/news/index.cfm···wsid=503
Sorry about that.


BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000
reply to BeesTea
Official Advisory

»www.microsoft.com/technet/securi···-040.asp
--
2b2b2b415448300d