Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Malware Detected By Dns Resolver Behaviour.


  • Please log in to reply
No replies to this topic

#1 cid66

cid66

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 09 July 2008 - 11:57 AM

Unidentified Malware detected by DNS resolver behaviour.

I have three PCs and when executing the flushdns + displaydns commands on a clean PC I got the following output:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
H:\>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

H:\>ipconfig /displaydns

Windows IP Configuration

1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 506625
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost


localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 506625
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1

H:\>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When executing the same commands on an infected PC I got an output as the following:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
C:\Documents and Settings\Tracy>ipconfig/flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Tracy>ipconfig/displaydns

Windows IP Configuration

virgiio.it
----------------------------------------
Record Name . . . . . : virgiio.it
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


www.virdgilio.it
----------------------------------------
Record Name . . . . . : www.virdgilio.it
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


www.tuttograatis.it
----------------------------------------
Record Name . . . . . : www.tuttograatis.it
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


liberok.it
----------------------------------------
Record Name . . . . . : liberok.it
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


internet-optimizer.com
----------------------------------------
Record Name . . . . . : internet-optimizer.com
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


spermatrix.com
----------------------------------------
Record Name . . . . . : spermatrix.com
Record Type . . . . . : 1
Time To Live . . . . : 603198
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


Etc…

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I know I see that output because the hosts file contains those entries pointing to the local address (127.0.0.1), and I know that means the PCs are infected by some malware that can not be identified, as none of the Antivus I run (NAV, PANDA, KASPERSKY, etc..) or rootkits detectors (GMER, SOPHOS), etc…seem to detect anything wrong with the PCs, and even reinstalling windows XP without reformatting the hard disk did not fix the problem.

I know that is not normal behaviour.

Of the 8000+ entries that I have on the host file pointing to 127.0.0.1 only a few of them appear on the displaydns output. Usually very similar ones which are know malware sites.

This is caused by some kind of malware trying to connect to those sites.

Although I have not identified the exact Trojan, this is most likely what is happening:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Troj/Torpig-BF monitors network activity for submissions to one of several banking sites, in order to steal account details. The Trojan also searches local disks for passwords for to email accounts and similar. Any details obtained in this manner are submitted to a remote attacker using HTTP POST.

The Trojan runs a proxy server on a randomly-chosen TCP port between 1000 and 10000, allowing a remote attacker to route TCP or HTTP traffic through the infected computer.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way I first notice this because some days ago I found that my PC was blocked as a result that I have enabled that my PC blocks any user access for a long time after 3 login failures. And then when I proceed to shut it down it advised me to confirm the shutdown since there was a remote connection running. So I know something/somebody was trying to connect to it. Weather they success or not I cannot tell. But that it has been attacked that I can confirm.

I think is a very stealthy malware and that the next logical step is to reformat the disk and reinstall XP. However there is one notebook that the CD drive is kaput and I don’t see how to perform the reformat/reinstallation on that system, so I need help to try to identify this nasty bug and fix it if possible.

All my PC’s are now power-off and isolated from internet, and I prefer to keep them that way as much as possible, until I have fix them and verified that they are clean.

I have seen those DNS entries reported on other forum but I don’t seem to find any indication of the malware that is causing them. Any idea which one could be ?.

Thanks.

Edited by Orange Blossom, 09 July 2008 - 04:52 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users