BleepingComputer.com: Virus: The page does not support your version of browser

Hello, I found your forum when searching about this virus and I found that topic: http://www.bleepingcomputer.com/forums/topic400108.html

Well, I'm from Brazil, I work in a big organization and I manage a network with a lot computers.

All the computers are registered in an Active Directory's domain and they are configured to use serv01 (10.1.48.1) and babilonia01 (10.1.48.2) as domain controller and for DNS lookups.

My network has 2 internet servers called 10.1.48.13, 10.1.48.11 (10.1.48.5 is the same as 10.1.48.11, 2 IPs on the same interface). Both them has a proxy server non-restrictive and can also be used has gateway server.

My netmask is 255.255.252.0 and broadcast 10.1.51.255

The virus is causing random computers to show a phishing pages instead of the requested ones.

For example, http://intranet is a bind to http://babilonia01 which is the same as http://10.1.48.2

When some users try to access http://intranet the get the following screen:
http://imageshack.us/photo/my-images/88/intranet.png/

This is not linked to the browser because the same thing happens when I try with firefox (fresh install)
http://imageshack.us/photo/my-images/51/intranet6.png/

And this is not linked to the operating system because there are others threads over the internet affecting Mac OS:
http://forums.macrumors.com/showthread.php?t=1161636

Quote

If I click Browser update it will download a virus (of course)
http://imageshack.us/photo/my-images/220/intranet4.png/
https://www.virustotal.com/file-scan/report.html?id=2a44dbea69d83111bdc05bc1d96e815f5a0670f392050898e542bd1a9dcb82a5-1307348486

I was trying to understand why the virus would be trying to catch my users if he is already infected. The answer is that the computer is NOT INFECTED.

After some time studding it, I found that there are some infected computers in my network acting as DHCP server, so when I a machine search a server it may find the infected PC or my real server (10.1.48.2). The infected PC will not create an IP, it asks my real server (or another PC, i don't know) what he should answer and then gives an answer but replacing the DNS servers to 188.229.88.8.
http://imageshack.us/photo/my-images/600/cap12n.png/ (this PC was working normally, it's using my real server)
http://imageshack.us/photo/my-images/89/cap14.png/ (ipconfig /relase then /renew on the same PC and an infected PC answered the request. 10.1.48.232 and it got affected)

The IP 188.229.88.8 is not part of my network, so I assume it's in the internet.

It resolves with success any domain to the address 188.229.88.8
http://imageshack.us/photo/my-images/850/cap6.png/ (in this example the DNS resolves a.b.c.d to 188.229.88.8)
http://imageshack.us/photo/my-images/268/cap9.png/

It the phishing page is not displayed with other IPs, only with 188.229.88.8
http://imageshack.us/photo/my-images/8/cap10h.png/

The http://188.229.88.8 does not display the phishing page if an infected PC did not give you an IP, so I think the 188.229.88.8 and infected PCs have a connection.

188.229.88.8 says it's running PHP 5.2 in Apache through headers.
http://imageshack.us/photo/my-images/840/cap11.png/


A way to discover infected PCs is to keep releasing and renewing IP address to grab others DHCP servers.

In the thread I found this site says that some people could remove the virus from infected PCs using that tool:
http://support.kaspersky.com/viruses/solutions?qid=208280684

The tool detects the virus by it's DHCP server and delete it.

I could not try yet, but I'll try tomorrow.

I also could not test the infected PCs yet, and I'll also do it tomorrow.

I'm sharing all this with you to help you to solve related issues and to expand informations about it on the internet, helping people who works on antivirus companies.



If you already know a way to remove it, or to block it, please share.

Tomorrow I'll try to block that IP with iptables, but I'm not sure if that will work since it may be dynamic.

===============================
edit: fixed the ip address, the correct is: 188.229.88.8
after some searchs i found that 188.229.88.7 does the same.

I can access http://188.229.88.8 and http://188.229.88.7 in my house, so it is an internet address, and it displays the phishing page to everyone (maybe I typed the wrong ip earlier)

This post has been edited by jose.rob.jr: 06 June 2011 - 07:27 PM

I've finally resolved this issue here.

The infected PC was a notebook plugged in my network without authorization.

To find it, I used 3Com Network Supervisor and a small software that I did to find strange DHCP servers.

The software basically keeps executing the following commands:

ipconfig /release
ipconfig /renew
ipconfig /all

Then it gets the who gives the DHCP Server and adds to a list.

I've uploaded to share, but it only works with Windows in Portuguese Language.
http://www.fileserve.com/file/CDKqyQq

If you want adapt to your language, I've uploaded the source code:
http://www.fileserve.com/file/uZ23Xjz

Note that when running this software you will loose your network connection to catch the infected PCs

The left list has DHCP servers and the right list displays what the software is doing.

If you want free an affected PC from an infected PC (a PC which displays the red page but is not infected yet), reboot the computer or try ipconfig /release and ipconfig /renew

Use ipconfig /all to view the DHCP Server and see if you are being a affected.

The infected PC gives a lease time of one hour

Good Luck

This post has been edited by jose.rob.jr: 09 June 2011 - 09:59 AM

Moderator, please, could you edit the topic subtitle to "[Resolved] Virus: The page does not support your version of browser" ?

Thanks

This post has been edited by jose.rob.jr: 09 June 2011 - 09:56 AM

I have a user in my company who has the same issue, originally I scanned his pc with malwarebytes and it came back clean, so I advised him that he likely had not been infected since he did not actually click the button on the page. But the next day he started getting this page again so I was stumped.

Reading this article gave me some insight, I will try to release/renew as you mentioned and see where that puts us. I have also read that resetting the router to the factory settings is a good solution as well.

You can scan for rogue DHCP servers using Microsoft's Rogue DHCP Server detection tool.

When I was having the issue I added that 3 IPs as additional IP on a linux server, so it was conflicting with the bad dns servers and was preventing the red page to be displayed. Of course you can block the ips on a router, but when you are not allowed do it and you can't change nothing on the gateway, the conflicts helps

ifconfig eth0:1 188.229.88.7 netmask 255.255.255.255 up
ifconfig eth0:2 188.229.88.8 netmask 255.255.255.255 up
ifconfig eth0:3 188.229.88.9 netmask 255.255.255.255 up

This doesn't works on windows servers because it doesn't allow you to set the 255.255.255.255 netmask manually.

This post has been edited by jose.rob.jr: 12 June 2011 - 07:04 PM

How do you clean the infected machine? I have tried with Kaspersky Anti-Virus 2012, Reanimator and Tdsskiller, but not of them found the virus/melware. Also I am working in a hotel where the new guests may come in with the virus/melware and affecting other guest. How to prevent the problem in the future, except from manually trying to find the infected machine? Thank you guys very much in advance for the help.

My computer was locked out with this virus for two days, I couldn't get an answer from my ISP because I work for them. It locked out two of the computers in my house, finally found this page and a link to TDSS Killer. I transferred it to the infected computers via ethernet cable and ran it. Found three viruses and after rebooting I finally had access to the internet on my PC. Excellent tool.

plz help me
even my pc having same problem first its started from google redirection and page comes with your browser needs to be upagrade i clicked on that then i found soultion that is tdsskiller and it found rootkit then i deleted that but my dns server address was not changing and it was 188.229.88.8 so i formated windows 7 and reinstalled it but no use still that dns address is 188.229.88.8 what to do ?
i m in lan network and more than 100 pc are in lan i cant go everyones house and see who is infected!
even i did complaint at my internet provider office but no use they also said we cant check everyones pc so plz tell me what to do i cant configure what u told abt that java source code and all i m noob plz tell me what to do?
problem is only that dnsserver address is 188.229.88.8 and i cant remove it or replace it