Wednesday, April 8, 2009

DNS poisoning - visually

Notice anything wrong with this picture?



The real question is, would one of the hundreds of millions of internet users notice anything wrong with this picture, or would they just think that an online pharmacy was hawking their crap(I mean advertising) on amazon.com?



Let's take a packet level look at this shall we?
192.168.30.128 is my host that's infected with Tidserv.G.

I opened Internet Explorer here.
22:26:00.658521 IP 192.168.30.128.1025 > 85.255.112.229.53: 59534+ A? ie.search.msn.com. (35)
22:26:00.692644 IP 85.255.112.229.53 > 192.168.30.128.1025: 59534 1/0/0 A 194.126.101.166 (51)

Look at the supposed A record. Who is that? *Hint* it's not msn.

inetnum: 194.126.101.0 - 194.126.101.255
netname: EE-ESTPAK
descr: backbone and servers
descr: Sole 14
descr: Tallinn
descr: Estpak Data/Estonian Telephone Co
country: EE
admin-c: ET332-RIPE
tech-c: ET332-RIPE
rev-srv: dns.estpak.ee
rev-srv: dns2.estpak.ee
status: ASSIGNED PA
mnt-by: ESTPAK-MNT
source: RIPE # Filtered

Maybe that's why this happened to a previously working IE instance when I tried to do a 'live' search?




What about other domains?

22:28:39.238470 IP 192.168.30.128.1038 > 85.255.112.229.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.225710 IP 192.168.30.128.1038 > 85.255.112.140.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.249730 IP 85.255.112.140.53 > 192.168.30.128.1038: 15535* 1/0/0 A 67.210.14.103 (58)
22:28:40.297489 IP 192.168.30.128.1038 > 85.255.112.140.53: 47016+ A? js.doubleclick.net. (36)
22:28:40.321746 IP 85.255.112.140.53 > 192.168.30.128.1038: 47016 1/0/0 A 67.210.14.81 (52)
22:28:41.477518 IP 192.168.30.128.1038 > 85.255.112.140.53: 8873+ A? info-feed.com. (31)
22:28:41.502943 IP 85.255.112.140.53 > 192.168.30.128.1038: 8873 1/0/0 A 67.210.14.81 (47)


Here's a first hand look at what happens when DNS is poisoned. No Mic on my workstation so you'll just have to watch.


1 comments:

Jaikar said...

i too got affected by this trojan!. how did you found that all!, thats amazing!..

did you find any solution how to remove and fix this ?