|
| "A locked and well managed PC has a 40% lower Total Cost of Ownership (TCO) than an unmanaged PC." |
| - Gartner Research |
|
*Possible new DNS hi-jacking exploit*
Wed, 05/26/2010 - 09:03 — Ray
Good Morning!
We have recently begun seeing reports of suspicious settings in DNS (none from our client base...yet). Clients affected exhibit the following behaviour:
- Sudden slowdown of internet browsing
- Domain not found at logon
- "Unable to locate domain" errors in the event logs
Investigation of the matter reveals only that the DNS settings have been changed to show two addresses:
93.188.161.198 and 93.188.161.15
Each of these addresses originates in Ukraine (http://ip.corporationwiki.com/93.188.161.0/) and should probably be blocked at your firewall. For that matter, your corporate firewall should be configured to allow DNS queries only from your internal DNS server if you are on a Windows domain. All clients should be configured to only use your internal DNS. If this is not the case, you probably are facing a lot of other issues and should call Secure Vizion to get everything working smoothly.... but I digress.
The exact virus or trojan that is changing this setting is not clear, but there is a post at http://www.bleepingcomputer.com/forums/topic318859.html that indicates a virus called "packed.win32.katusha.m" that may be responsible. More info on this virus can be found at http://www.securelist.com/en/descriptions/7632035/Packed.Win32.Katusha.m.
Others that have experienced the DNS IP change symptom have reported the virus is identified and removed by their anti-virus application, but the setting remains unchanged after removal.
If you find this symptom present on a system, DO NOT ASSUME your anti-virus caught and removed the threat. Check your connections using "netstat -ano", look for any connections to public IP addresses and verify each IP originating location. You can verify this by searching the IP address you find on Google, or search for "reverse DNS lookup, which will identify the entity that owns the IP. If you see a connection to any country other than your own be very suspicious. Contact your anti-virus vendor and ask for help. If you would rather have professionals dive in and do this for you, well, you know who I would recommend!
Cheers,
Ray
|
|
| "In general, organisations that employ effective Software Asset Management realise savings between 5% and 35% on their IT Budget " |
| - Gartner Group |
|
|
|
|
| "Audits among members were up 20% in 2008 from previous years. In all, 34% of FAST members said they had undergone a software audit." |
| -The Federation Against Software Theft (Fast) |
|
|
|
|
| "In 2008, 81.4% of all email was SPAM. This is a decrease from 84.6% in 2007." |
| - Symantec MLI Annual Report |
|
|
|
|
| "93% of organizations have had a virus, worm or Trojan Horse successfully infiltrate their network through email." |
| - OSTERMAN RESEARCH, INC. |
|
|
|
|
| "55% of all companies will experience an email outage greater than four times annually." |
| - Industry Reports |
|
|
|
|
| "More than 65% of PCs are infected with some kind of spyware − many within minutes of being turned on for the first time." |
| - SANS INSTITUTE |
|
|
|
|
| "30-40% of Internet browsing is non-job related." |
| - IDC RESEARCH |
|
|
|
|
| "The Internet is plagued with over 14,000 bogus phishing websites." |
| - ANTI-PHISHING WORK GROUP |
|
|