Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Server Hijacking


  • Please log in to reply
14 replies to this topic

#1 Stanley_Krute

Stanley_Krute

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 03:24 AM

Just solved a v. stubborn malware infestation case. Some might find it of interest.
 

The situation: when the user went to websites selling stuff, such as SportsAuthority.com, popup ads appeared relentlessly, with links to similar items at other websites.
 

The computer had been scoured with my usual array of best-of-breed malware cleanup tools. The browsers had been cleansed of extensions and add-ons. The registry and temp file locations had been bleached clean. And that process was repeated many times.
 

And yet the popups wouldn't go away. Hmmmm ......
 

Happily, the malware author[s] proudly put a little note at the bottom of some of the popups: "provided by offers4u". Ego, the living planet, oh how you are my unwitting ally in these battles !!
 

Okay. Google that sucker: "offers4u malware removal". Lots of pages showed up, purporting to show how to easily remove the threat. But they all just repeated the steps I'd already taken.
 

Except for one. It mentioned setting the computer's network adapter DNS settings back to a known safe spot, the Google public DNS servers at 8.8.8.8 and 8.8.4.4
 

I examined the network connection for the computer. Aha !! The DNS settings had indeed been changed, to 81.218.119.15 and 199.203.35.75 I set them back to those safe and speedy Google DNS settings, and the popups disappeared.
 

Fascinating, as Spock might opine. I'd not encountered this attack strategy previously. And neither had the authors of my array of best-of-breed cleanup tools, by demonstration, as they'd failed to find and fix it.
 

Coda: I went and googled those malicious DNS settings. And it turned out that indeed they are used to inject all sorts of nastiness into browsers. One more item to add to my standard cleanup protocol.
 

https://www.google.com/search?q=81.218.119.15+malware
https://www.google.com/search?q=199.203.35.75+malware

Happy to share this. The things one sees and learns fighting the good fight !!


Edited by Stanley_Krute, 07 June 2015 - 05:26 AM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:09 AM

Posted 07 June 2015 - 03:50 AM

The computer had been scoured with my usual array of best-of-breed malware cleanup tools.

Depends on what you use :wink:

What you saw is not called malware per se, but rather Potentially Unwanted Programs (PUPs). It's because the makers insisted that their software only serve to do good for the customer, but the reality is that nobody want them on their machine. :lol:

#3 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:08 AM

Depends on what you use :wink:

1. AdwCleaner
2. ComboFix
3. JRT
4. Hitman Pro
5. Malwarebytes Anti-Malware
6. RKill
7. TDSS KIller
8. Avast AV
9. Spybot

None caught this particular vector.

Do you know of a tool that does catch it ??


Edited by Stanley_Krute, 07 June 2015 - 04:08 AM.


#4 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:11 AM

What you saw is not called malware per se, but rather Potentially Unwanted Programs (PUPs). It's because the makers insisted that their software only serve to do good for the customer, but the reality is that nobody want them on their machine. :lol:

 

LOL here in my not-yet-fully-Orwellian lawyer-free world, we just call it malware.


Edited by Stanley_Krute, 07 June 2015 - 04:24 AM.


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:09 AM

Posted 07 June 2015 - 04:21 AM

1. AdwCleaner
2. ComboFix
3. JRT
4. Hitman Pro
5. Malwarebytes Anti-Malware
6. RKill
7. TDSS KIller
8. Avast AV
9. Spybot

None caught this particular vector.

Do you know of a tool that does catch it ??

First off, you should NOT run ComboFix on your own without guidance from a trained malware helper.

I wouldn't use Spybot, its performance is rather poor now.

To remove addons and extensions I go for a browser reset/refresh - that will get rid of malware traces that may be in places automated tools cannot touch.

I do manual removal of malware, so I cannot give you advice on what I use.

LOL here in my not-yet-fully-Orwellian world, we call it malware.

Some of the PUP peddlers have been known to sue security vendors that detect their product :P Nobody wants that, so they call those PUPs instead and make PUP detection opt-in instead of by default (Malwarebytes, Emsisoft and ESET ask you during installation if you want to enable PUP detection).

#6 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:27 AM

First off, you should NOT run ComboFix on your own without guidance from a trained malware helper.

 

I've been cleaning up computers for a few decades. Do a few hundred per year these days. No casualties yet. Thanks for the warning LOL.


Edited by Stanley_Krute, 07 June 2015 - 04:37 AM.


#7 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:29 AM

 

I wouldn't use Spybot, its performance is rather poor now.

No huge disagreement re: its performance degradation over versions. However, it will still sometimes catch things the other tools miss.


Edited by Stanley_Krute, 07 June 2015 - 04:37 AM.


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:09 AM

Posted 07 June 2015 - 04:33 AM

I've been cleaning up computers for a few decades. Do a few hundred per year. No casualties yet. Thanks for the warning LOL.

I will quote Global Moderator quietman7 on why you should not run ComboFix on your own (not only about the machine-breaking thing):

On first run ComboFix can automatically detect and remove a lot of malware from various locations where it is known to hide. Further, much of what ComboFix does is completed upon reboot as part of its routine. In many cases the first run of ComboFix saves us the trouble of having to prepare a CFScript which is intended to be used as a cleanup tool AFTER an initial run of ComboFix. There are advanced users and security experts who have figured out how to create some of the more common CFScripts which are used without ever having attended formal training. ComboFix also provides a wealth of information about many areas of the operating system and registry in the comprehensive logs it creates. That information can provide advanced users a strategy for planning additional malware removal steps using other alternative tools.

So not only you run the risk of breaking machines, you are not using CF's full potential. :wink:

No huge disagreement. However, it will still sometimes catch things the other tools miss.

I also clean machines in the Am I Infected? section of this forum, and I see people having Spybot installed coming in for help from time to time. Problem is, not only it's ineffective but the TeaTimer function will also interfere with malware removal.

If you ask me which vendors I prefer, my top choices are Emsisoft and Malwarebytes, then ESET.

#9 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:40 AM

 

To remove addons and extensions I go for a browser reset/refresh - that will get rid of malware traces that may be in places automated tools cannot touch.

Indeed. That had already been done in this case, but the popups persisted. The DNS hijacking was the final bit of malevolence.



#10 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:46 AM

Yes, truth re: TeaTimer. I merely uninstall Spybot after its scanning.

LOL re: the ComboFix warning. I run a busy computer practice, and it's a useful tool.

Love BC, but sometimes, I must note, the arrogance of the 'helper' set is a tad insufferable.

I posted this info about the DNS hijacking because it's the first time I've seen it, after fixing thousands of infected computers over the years. It will be useful for others googling about when faced with similar problems.

The lecture elements in your responses are ridiculous.

 



#11 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:09 AM

Posted 07 June 2015 - 04:55 AM

The lecture elements in your responses are ridiculous.

You have your opinions, I have mine - was merely stating them. My apologies if I offend you, but we have differing methods and views on how to deal with infected machines.

Malware removal is a complicated and constantly evolving thing, and we change to catch up with them as well.

#12 Stanley_Krute

Stanley_Krute
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 07 June 2015 - 04:56 AM

This, btw, was the one useful guide that alerted me to the need to check for DNS hijacking as regards offers4u:

http://repairinfectedpc.com/Offers4u-Removal/



#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:09 AM

Posted 07 June 2015 - 05:08 AM

How they described the adware in that link is kinda weird... at least they are not promoting registry cleaners or some other dubious software.

#14 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:09 PM

Posted 09 June 2015 - 05:50 PM

Yes, truth re: TeaTimer. I merely uninstall Spybot after its scanning.

LOL re: the ComboFix warning. I run a busy computer practice, and it's a useful tool.

Love BC, but sometimes, I must note, the arrogance of the 'helper' set is a tad insufferable.

I posted this info about the DNS hijacking because it's the first time I've seen it, after fixing thousands of infected computers over the years. It will be useful for others googling about when faced with similar problems.

The lecture elements in your responses are ridiculous.

 

 

You claim to be well-versed and very experienced, yet you call the compromise/manipulation of your local adapter's DNS settings "DNS hijacking"...   :hysterical:


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:09 PM

Posted 09 June 2015 - 07:07 PM

You have to be careful when conducting Google searches on the Internet as there is a lot of misinformation out there. When performing search queries, always check multiple sources to confirm the information provided is consistent and essentially the same.

When searching for suspicious files, new malware or malware removal assistance (and removal guides) on the Internet, it is not unusual to find numerous hits from untrustworthy and scam sites which mis-classify detections or provide misleading information. This is deliberately done more as a scam to entice folks into buying an advertised fix or removal tool. In some cases if the fix is a free download, users may be enticed to download dubious software, malicious files or even be redirected to a malicious web site. In other cases you are referred to contact the site's Tech Support for assistance which is only provided for a fee and many times the actual amount is not disclosed until after you have committed yourself. The scammers may even talk you into giving them remote access to your computer (and by extension, all your private data and personal information). Do not follow such advice or download any removal tools from unknown or untrusted web sites.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users