Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Mysterious Malware hits DNS servers

Status
Not open for further replies.
compgirlfhredi

compgirlfhredi

Technical User
Aug 29, 2003
416
US

"Malicious code -- possibly related to the Microsoft Internet Explorer "object type" vulnerability -- is changing local DNS settings to random numbers. As a result, it makes all DNS-dependent applications, such as e-mail, Web access and internal servers unavailable."
 
Sort by date Sort by votes
My apologies, this was supposed to be in the 'News" section
 
Upvote 0 Downvote
----(snip)---
Oct 4, 2003
Trojan hijacks web browsers
By John Leyden
Posted: 03/10/2003 at 07:38 GMT

A Trojan that exploits an Internet Explorer vulnerability is capable of allowing attackers to hijack browser behaviour, anti-virus firms warn.

The QHosts (Delude) Trojan can't spread by itself. Users only become infected if they visited a maliciously constructed website containing code which allows the malware to run.

This code used a critical object data vulnerability in Internet Explorer to execute.

More information about this vulnerability, including a (partial) fix, can be found in an advisory from Microsoft, issued back in August.

Some anti-virus vendors reckon that this patch will protect against the exploit. However, McAfee warns that the patch fails to protect against the automatic execution of VBScript contained in an HTML file, the infection mechanism used by QHosts.

AV firms are united in saying the latest Windows menace is low spreading, which is just as well. As usual Mac, Linux, OS/2 and Unix users are immune from infection.

According to McAfee, the purpose of this Trojan is to hijack browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote 'administrator' to direct users to the pages of their choosing.

This Trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ, McAfee believes.

Finnish AV firm F-Secure has noted two variants of the Trojan. An advisory by Symantec provides technical detail on the changes the Trojan makes to infected PCs.

Users are advised to update AV signature definitions so that security tools can block the Trojan in case a user is tricked (using spam or via other mechanisms) into visiting an infected Web site.

original source : ---(/snip)-----


IF you guys been having some weird DNS redirections ( and not verisign's doomed service) lately, maybe this is it...


_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
There have been several people hit with this.

There are fixes available from several AV sites, search on QHost with Google, or see the XP, Win2k, or Browser Forums here for links to the fixes.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

KenMeans
  • Locked
  • Question
DNS Issues with wireless router behind Atlantic Broad band Business Modem
Replies
0
Views
10K
KenMeans
KenMeans
alpha76
  • Locked
  • Question
Advice on DNS setup/configuration
Replies
3
Views
11K
technome
technome
tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
12K
tbright
tbright
Richard Carter
  • Locked
  • Question
Set up BIND on DNS server for local home server
Replies
0
Views
10K
Richard Carter
Richard Carter
rvirene
  • Locked
  • Question
MS DNS / Powershell Script Question
Replies
2
Views
11K
rvirene
rvirene

Part and Inventory Search

Sponsor

Back
Top