DNS abnormalitities

Published: 2003-10-01
Last Updated: 2003-10-02 13:10:38 UTC
by Handlers (Version: 1)
0 comment(s)

**** UPDATE ****
The odd DNS issues are likely caused by the QHosts-1 Trojan. For details see:

http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=100719

http://vil.nai.com/vil/content/v_100719.htm
********
As initially posted to the SANS intrustions list, some sites observe an increase
in abnormal DNS queries. For the original post, see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00003.html

A likely related issue has been reported to NT Bugtraq:
http://www.ntbugtraq.com/default.asp?pid=36sid=12A2=ind0310&L=ntbugtraq&D=0&F=P&P=1048

Here, a user reported that "Various Windows 2000 professional workstations are changing the DNS servers they are configured to use". The new DNS server, 216.127.92.38 and 69.57.146.14, is hosted by 'Everyone's Internet Inc.', (ev1.com).

This user did report suspicous changes to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]

"r0x"="your s0x"

"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]

"T2"=dword:3e057410

"LeaseTerminatesTime"=dword:3e067130

"LeaseObtainedTime"=dword:3dfe8830

"T1"=dword:3e027cb0

"NameServer"="69.57.146.14"
for more details, see this NT Bugtraq post:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0&F=P&P=1879
------

If you would like to share any related logs, please send them to isc_AT_sans.org
Keywords:
0 comment(s)

Comments


Diary Archives