I have been doing dozens of google and forum searches tryinjg to find a description and solution to this virus. Target system is Windows/XP SP3. The symptom is that the DNS resolver is spoofed such that many domains resolve to "127.0.0.1" so they cannot be accessed.
I'm having to post this from my Linux box because it wouldn't be possible from my infected windows system. You can easily find on google and this forum dozens of viruses that will modify the etc/hosts file but this virus does it without modifying that file. It also seems that KAV with the currend data base can't find it, at least not in the \\WINDOWS directory. (I"m doing a full system scan now but it will take a while.)
Can someone point me to an article on this?
Full Version: Virus blocks DNS *without* modifying hosts File
QUOTE(Alan94539 @ 22.11.2008 10:59) 
I have been doing dozens of google and forum searches tryinjg to find a description and solution to this virus. Target system is Windows/XP SP3. The symptom is that the DNS resolver is spoofed such that many domains resolve to "127.0.0.1" so they cannot be accessed.
I'm having to post this from my Linux box because it wouldn't be possible from my infected windows system. You can easily find on google and this forum dozens of viruses that will modify the etc/hosts file but this virus does it without modifying that file. It also seems that KAV with the currend data base can't find it, at least not in the \\WINDOWS directory. (I"m doing a full system scan now but it will take a while.)
Can someone point me to an article on this?
I'm having to post this from my Linux box because it wouldn't be possible from my infected windows system. You can easily find on google and this forum dozens of viruses that will modify the etc/hosts file but this virus does it without modifying that file. It also seems that KAV with the currend data base can't find it, at least not in the \\WINDOWS directory. (I"m doing a full system scan now but it will take a while.)
Can someone point me to an article on this?
I also have the same problem. I have XP SP2. I'm doing my Googls searches without luck. Can some one please help?
No idea if this might be at all helpful:
http://www.scmagazineuk.com/New-DNS-changi...article/122683/
Any number of malware scanners might be able to detect the application provided you can get one installed on an infected machine.
http://www.scmagazineuk.com/New-DNS-changi...article/122683/
Any number of malware scanners might be able to detect the application provided you can get one installed on an infected machine.
I found a little more info:
With the new Trojan.Flush.M variant discovered on December 3, 2008, the core thinking to DNS altering seems to have shifted again. The trojan now makes use of a legit file, ndisprot.sys, the ArcNet NDIS Protocol Driver, in order to set up a fake DHCP server on the compromised system. This is registered as a service on the machine, and intercepts DHCPDISCOVER packets from the computers on the network.
The rogue DHCP server responds to legit requests with packets containing malicious DNS servers from the 85.255.112.0/20 block. This is an IP range known for being used in various online illegal activities. The anti-spam organization Spamhaus added it to its block list since last year and Bojan Zdrnja from the SANS Internet Storm Center notes that βit's probably wise to at least monitor traffic to 85.255.112.0 β 85.255.127.255, if not block it.β
There are several significant implications to the new technique. First of all, it also affects non-infected systems on the network. Then, it doesn't always compromise a system. Sometimes it succeeds and sometimes it doesn't, depending on how fast the network's legit DHCP server replies. This certainly makes it harder for administrators to track compromised machines on larger networks. The uncontrolled nature of public wireless networks is another factor of great concern in regard to this attack.
With the new Trojan.Flush.M variant discovered on December 3, 2008, the core thinking to DNS altering seems to have shifted again. The trojan now makes use of a legit file, ndisprot.sys, the ArcNet NDIS Protocol Driver, in order to set up a fake DHCP server on the compromised system. This is registered as a service on the machine, and intercepts DHCPDISCOVER packets from the computers on the network.
The rogue DHCP server responds to legit requests with packets containing malicious DNS servers from the 85.255.112.0/20 block. This is an IP range known for being used in various online illegal activities. The anti-spam organization Spamhaus added it to its block list since last year and Bojan Zdrnja from the SANS Internet Storm Center notes that βit's probably wise to at least monitor traffic to 85.255.112.0 β 85.255.127.255, if not block it.β
There are several significant implications to the new technique. First of all, it also affects non-infected systems on the network. Then, it doesn't always compromise a system. Sometimes it succeeds and sometimes it doesn't, depending on how fast the network's legit DHCP server replies. This certainly makes it harder for administrators to track compromised machines on larger networks. The uncontrolled nature of public wireless networks is another factor of great concern in regard to this attack.
I've run into this same issue on several PCs lately. It's getting to be a pain. I use a mix of ComboFix, UnHackMe, HijackThis, Spybot S&D, AdAware, and Malware Bytes Anti-Malware. After numerous scans, I pronounced the machine clean. It would have been faster to wipe and reload.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.