Wednesday, April 8, 2009

DNS poisoning - visually

Notice anything wrong with this picture?

The real question is, would one of the hundreds of millions of internet users notice anything wrong with this picture, or would they just think that an online pharmacy was hawking their crap(I mean advertising) on

Let's take a packet level look at this shall we? is my host that's infected with Tidserv.G.

I opened Internet Explorer here.
22:26:00.658521 IP > 59534+ A? (35)
22:26:00.692644 IP > 59534 1/0/0 A (51)

Look at the supposed A record. Who is that? *Hint* it's not msn.

inetnum: -
netname: EE-ESTPAK
descr: backbone and servers
descr: Sole 14
descr: Tallinn
descr: Estpak Data/Estonian Telephone Co
country: EE
admin-c: ET332-RIPE
tech-c: ET332-RIPE
mnt-by: ESTPAK-MNT
source: RIPE # Filtered

Maybe that's why this happened to a previously working IE instance when I tried to do a 'live' search?

What about other domains?

22:28:39.238470 IP > 15535+ A? (42
22:28:40.225710 IP > 15535+ A? (42
22:28:40.249730 IP > 15535* 1/0/0 A (58)
22:28:40.297489 IP > 47016+ A? (36)
22:28:40.321746 IP > 47016 1/0/0 A (52)
22:28:41.477518 IP > 8873+ A? (31)
22:28:41.502943 IP > 8873 1/0/0 A (47)

Here's a first hand look at what happens when DNS is poisoned. No Mic on my workstation so you'll just have to watch.


Jaikar said...

i too got affected by this trojan!. how did you found that all!, thats amazing!..

did you find any solution how to remove and fix this ?