Possible New DNS Eploitation/Manpulation?

[UserA789]

Okay,

I apologize for only having an example from my gaming console, but that's the only place I catch this happening.  Im on a #PS3 and it only occurs when playing the new temp-release of Battfild Four (gamename slandered so illicit users cant search to fix, or at least make it harder.)

My DNS is changed, but not permanently.  This is a problem since I manually set my DNS.. it should never change from my host DNS.  It usually happens across my Hotspot but has occurred on my home network as well. My hotspot is not a Comcast service but that's where I end up routing through @ 50.178.xxx.xxx.  I don't post the last subsets as they could be simply someone unknowingly running a bot-cypher and Id hate for them to get slack over another jerks issues.

I no longer have the tools to query and produce all the code coming to my network so Im here asking if someone can check this.  Again, Iv only noticed wen playing the pre-release of the game (got thru console store access, valid til the 15th).  It does not change the DNS I set my PS3 to but that seems to be ignored anyhow, as my router shows traffic thru 50.178.xxx.xxx.

Im sorry for not knowing if this is occurring across the entire network or just secluded to the console.  But as soon as it happens I can see in the load screen of the game (its different, but you have to be paying attention).

I guess Im asking if someone with the tools can start testing this out, if a new DNS change exploit is out there, we should be the first to exploit the exploit.

Details:
My AP's DNS is changed.  I didn't notice at first but when the load screen kept being slightly different I decided to check over my settings and this is when I noticed my DNS manipulated/redirected.  I reset it, it can still be changed.  I reset the device entirely (to include resetting access keys and SSID's) yet it still occurs.  It does not permanently change my DNS and if I power-cycle my router/AP/Hot-Spot it is back to my pre-set DNS IP.  I have no other evidence or data, as I said I don't have access to the tools I usually do.

I found this new example of old school techniques used to change/manipulate DNS:

http://codemink.com/gate-2014-iit-kharagpur-servers-hacked-ddos-vulnerability/ -it relies on the basic DNS/DDoS/BIND Attacks but seems to add a change; such as version query if the server is not set to open-recursive DNS

[polonus]

First check here: http://www.dcwg.org/  and for that IP check https://dazzlepod.com/ip/xx.xxx.xxx.xxx/
Then try and get a detailed report her http://n1.netalyzr.icsi.berkeley.edu/

Try to implement this code to harden your router

Code: [Select]


var resetRouter = function () {
  var hash = window.location.hash;
  var someRouter = new router();
  Backbone.history.stop();
  window.location.hash = hash;
  Backbone.history.start();
};
handlesodetail: function (sonumber) {
  protected override void Execute(CodeActivityContext executionContext)
{
.
.
.
    dynamic[] sendFields = {
        new { type = "TO", teamMembers = GetTeamMembers(service, LookupToTeam.Get<EntityReference>(executionContext)) },
        new { type = "CC", teamMembers = GetTeamMembers(service, LookupCcTeam.Get<EntityReference>(executionContext)) },
        new { type = "BCC", teamMembers = GetTeamMembers(service, LookupBccTeam.Get<EntityReference>(executionContext)) },
    };
.
.
.
}

public static List<TeamMembership> GetTeamMembers(IOrganizationService service, EntityReference teamRef)
{
.
.
.
}
  resetRouter();
} code credits go to ronaldcs
see also this link: http://www.dforge.net/2013/04/01/re-trigger-a-backbone-js-route/

polonus

[UserA789]

THIS IS GOOD STUFF FROM MY BASIC UNDERSTANDINGS!!!

Okay,

First... I have never used C++, or coded anything for that matter.  Iv always relied on scripting original dBase1(ver1.x-3.2) as its served most of my needs.  So would it be possible to explain the basics of what this does, per line or per instance (grouping of lines of code)?

IE.  Is 'Teamember' a generic string marker for a designated group already defined, or a web target, or what?  Same with the other references; such as 'Entity', etc.  again, I apologise for not being fluent in anything other then dBase and Helix DNA.

Second, I currently wont touch the custom FW's so I don't think this would help me... unless you can instruct how to insert this into my router commands using OFW?

(I wont use any of the custom FW out right now because we really don't know who is behind it.  That would be like opening email from unknown senders... very risky.  Im not being paranoid, I have already had to deal with MyCandianPharamcy and their lil ID theft ring.  Once you have to fight in the least to maintain your own identity, these things become VERY important and an active reality.  Thats all.  Its why I would love for Avast, or a known Avast member to code some CFW for routers backed with Avast technology.   I know TrendMirco has a router or two they do this with)

But to the main point.. Iv even found a couple of places under DNS manipulation.  It seems to be an old method with a new twist.  One group even hijacked a DNS via faxing them.  I dont think this is really console speceific or even specific to the game mentioned, however, this seems to be their preferred testing ground.

http://threatpost.com/phony-order-faxed-to-registrar-leads-to-metasploit-defacement

Thank you for this... Im sure anyone already using CFW on their router will be much more secure by using it.  If Im being retarded (Im certified so don't tell me I cant use the word) and can implement this in my router using its OFW... EVEN MORE REASON TO LOVE AVAST!!!

[polonus]

Hi UserA789,

Fire that code as javascript up to https://malwr.com/ and you will get a report what it does and you could start from there.

This is what it does

Code: [Select]

var resetRouter = function () {   var hash = window.location.hash;   var someRouter = new router();   Backbone.history.stop();   window.location.hash = hash;   Backbone.history.start(); }; handlesodetail: function (sonumber) {   protected override void Execute(CodeActivityContext executionContext) { . . .dynamic[] sendFields = {new { type = "TO", teamMembers = GetTeamMembers(service, LookupToTeam.Get<EntityReference>(executionContext)) },new { type = "CC", teamMembers = GetTeamMembers(service, LookupCcTeam.Get<EntityReference>(executionContext)) },new { type = "BCC", teamMembers = GetTeamMembers(service, LookupBccTeam.Get<EntityReference>(executionContext)) },}; . . . }  public static List<TeamMembership> GetTeamMembers(IOrganizationService service, EntityReference teamRef) { . . . }   resetRouter(); } '*

What happens actually and where your complaints originate:
   1. Client web browser makes a request to the web site.
   2. Request goes through client’s ISP.
   3. Request gets routed through the Internet.
   4. Request goes through server’s ISP.
   5. Server responds with HTML/CSS/Javascript/images/etc.  "*
   6. Response goes through server’s ISP.
   7. Response gets routed through the Internet.
   8. Response goes through client’s ISP.
          * ISP appends HTML/CSS/Javascript to response that generates ad.
   9. Client web browser receives response and displays the web page.

Also a very important step towards security of your DNS is to use 20 position strong passwords...
You could turn a old pc into something DIYS that is completely tweakable:
http://www.applianceshop.eu/index.php/firewalls/pfsense-small.html
Security leaks can cost you dearly if you miss a security update as for AsUS routers: attackers on the network just had to open  RouterIPAddress/qis/QIS_finish.htm to get access to all router info admin password included 
Problem was solved through updating to firmware 2.0.0.25

Some tips - Good idea is to add "_nomap" to the SSID. One does not get mapped at www.wiggle.net. Credits for info go to yobi
Some tips below where credits go to Predjuh (both yobi and Predjuh are members at Security.nl forum):

1. Hiding your SSID.
Only sensible for networks that are being used sporadically.
After a disconnect packet has been sent, 90% of clients will reconnect and resend the SSID in the first packets anyway.

2. Filtering MAC-adsresses
List of connected MAC-addresses are being forwarded by clients and next could be spoofed.

3. Passphrase >= 20 characters
Good advice, Predjuh likes to rather  speak of a "passphrase" rather then  a password, because a lot of folks think that it should be a "word".

4. Whitelisting of MAC-addresses/
See 2.

5. Uninstall WPS, do not use.
Good advice, unsavy users do not always have the motivation to do so, while this advice seems just seems meant for this group.,

Some additional advice (from the same info source credited above):

- Passphrase >= 20 characters for access to modem/routers or other network peripherals.
- When there should not be any communication between clients, tag option "client isolation" (when this option is available)
- Always uninstallremote management.
- Uninstall the option to control your router/modem throughWIFI (rather use a cable to do so)
- Uninstall UPNP on your modem/router.

polonus

[polonus]

Hi UserA789,

Well one always have to be on top of security alerts for reverse engineering to find easy backdoors,
see: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
article author = craig on /dev/ttyS0 Embedded Device Hacking

polonus

[UserA789]

Thanks for all the good stuff Polunus.  your descriptive instructions were a welcome relief.  I am in the process of re-building my 'security testing terminal' so I can get the stuff Ill want to forward to correct individuals.  But with the American GOP Congress holding veteran pay as a hostage tool.. all my funds are being saved for a possible Holiday season of absolute struggle... sorry to talk about politics but this is my reality right now.

Now... back to the DNS exploitation across the console I specified.  I did some simple testing of my hypothesis and it seems to be becoming more evident as actual occurrence.  My buddy, who uses the same console and playing the same program {BFFOUR}... who was unaware the "secure" setup XFinity left him with was not all that secure.. from broadcasting his SSID to ZERO WiFi MAC filtering... had been getting weird errors from his console about DNS issues and it was taking him 40+ minutes to re-connect.

I went to his house and we used the dedicated DNS server my IPS lets use when not on the network.  He stopped getting the DNS connection errors and instead would freeze up about every third game for no reason.  So iit does seem, with the limited testing Iv done, that DNS manipulation is occurring over that specific game, it ONLY happens when playing this one 'beta' game while every other game I have (over 100 downloads) acts just fine.

But the research on this is showing that DNS manipulation is on a HUGE rise right now so I figured it would be a great thing for my FAVORITE security vendor to be the one to uncover.

Again Polunus, thanks for your details so I can add some additional coding when I get my 'VORTEX' machine set up to silently monitor Tx.  The main topic is DNS exploitation and Im hoping we can prevent Avast users, as well as others, from becoming victims as during the DNS Malware Changer episodes two years ago.

Ohh.. and I use very strong encryption methods myself. 32 digit private SSID's to 63 ASCII WPA2 (AES) keys to random 20-24 length Windows passwords to wireless AC filtering and DHCP reservations with no open IP assignments.  Never use UPnP and ALWAYS turn off Remote Managemnet; both on my routers and devices.  If you have followed me then you should have guessed that's been what Iv had since Wifi was released.  Im not trying to pass off any BS in my claims of what I did for the USMC and why the USMC servers have been the most secure in the world... its what I actually did.

I have never used WPS. that's just silly and asking to be hijakt.  But this is good stuff for ANY Avast member to know if they are not doing it already.  Most novice users that come here with exploitation complaints usually will boil down to one of the things you talk about in securing a router and has NOTHING to do with the AV client installed.

AWESOME LOOKIN OUT!!! SEMPER FIDELIS AND OORAH!!!

OFF TOPIC:  I like to use the below website for a plethora of tools; including random key generators to hash encryption testing:

https://www.grc.com/passwords.htm

Im sure you'll find a tool or two that will blow you away.  If this hasn't been added to the sticky of great websites for Avast forum users... Id ask Avast review the site then add it to the list.

[polonus]

Hi UserA789,

Good we could inspire each other here, that really adds to a very positive feeling.
I sure will look into your recommendations.
Certainly hope your soon will get out of your predicament and the shut-down will soon "ebb away".
Know that in a lot of respects we have to face similar hard times,
while the situation is not exactly the same on the other side of the Antlantic,
but we have to come to live in a small and inderdependant world.

Stay safe and secure is the wish of.
For later enjoy yer Halloween and bonfire..

polonus

P.S. Nice article link: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/  (article author = craig)

D

[UserA789]

Hi UserA789,

Good we could inspire each other here, that really adds to a very positive feeling.
I sure will look into your recommendations.
Certainly hope your soon will get out of your predicament and the shut-down will soon "ebb away".
Know that in a lot of respects we have to face similar hard times,
while the situation is not exactly the same on the other side of the Antlantic,
but we have to come to live in a small and inderdependant world.

Stay safe and secure is the wish of.
For later enjoy yer Halloween and bonfire..

polonus

P.S. Nice article link: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/  (article author = craig)

D

So there is a new piece to the puzzle.  When I went to log into the Battlelog site.. all of a sudden my IE is choked down with a file trying to SAVE and RUN; but IE stopped it and, as I said, almost choked on the popup dialog to SAVE, OPEN, or CANCEL a 50k file being sent from "r(dot)openx(dot)net"; a site/group already involved in DNS exploiting.

Personally I feel its just an advanced take on the GhostClick DNS Malware Changer operation but doesn't involve the ISP at any point. This would leave it very hard to catch, as far as an ISP Security Admin, as its not hitting anything but the end user.

Either way, when you use Chrome or FF style browsers... see ya.  You don't get to choose... it doesn't even show up in logs but your DNS (if not specifically set) is 'captured'.  I only see this capture occur in my hotspot as well, my router still shows its fine when Im on it.  But, if its END USER only; then Im probably lucky to catch the change on my Hotspot.  It seems things are being designed for the more popular browser's these days, too.  Really, how many but me have went back to IE after noticing the others starting to do some 'interesting' things?

...and really; if you were designing maleware, wouldn't you be designing it for the browsers people have just decided are "safer" or even worse, as most feel with Linux, "Bullet Proof".  We all know better, but we all now others that believe the very thing.

Stay safe and secure is the wish of.
For later enjoy yer Halloween and bonfire..

polonus

P.S. Nice article link: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/  (article author = craig)

D

You too... Im checking the article now.

#33rd #piratemafia

[polonus]

Elsewhere I have warned about DNS manipulation being the main new trend in malware proliferation and this is growing into a main attack line.
In your case consider this: http://intodns.com/openx.net  From there:

Missing nameservers reported by parent   FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems!
aus1.akam.net
asia3.akam.net
ns1-208.akam.net

WARNING: SOA MNAME (ns1-208.akam.net) is not listed as a primary nameserver at your parent nameserver!

Your SOA EXPIRE number is: 2678400. That is NOT OK

This is an ongoing story: http://support.clean-mx.de/clean-mx/viruses.php?domain=openx.net&sort=ns5%20desc
Google browser does not even let me search r dot openx dot net queries...blocked (searchengine security extension in Google Chrome blocks)
Some goodies from there: https://www.virustotal.com/en/domain/r.openx.net/information/  and even file infectors like VIRUT -
say bye bye to your computer....
See the delayed Scranton, USA results: http://check-host.net/check-dns?host=r.openx.net
See: https://ip.robtex.com/173.241.240.7.html
and http://support.clean-mx.de/clean-mx/viruses.php?ip=173.241.240.7&sort=first%20desc (https://urlquery.net/queued.php?id=46778594)
See: ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) in https://urlquery.net/report.php?id=4960967
Read Will Metcalfs musings on the IDS here: http://seclists.org/snort/2010/q4/319
Browser cursor manipulation due to lack of input/output validation and server hardening is obvious here!
Probably that is what was taken place inside your IE browser at the time!

How they attacked: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fr.openx.net%2Fset%3Fpid%3D21a19823-5de3-4917-bc81-a4edea5127ff%26amp%3Brtb%3D4255378259941066298%26amp%3Bcc%3D1

Compare this info with your experiences and we can continue our investigations from that point.

polonus

[UserA789]

Elsewhere I have warned about DNS manipulation being the main new trend in malware proliferation and this is growing into a main attack line.

...
...
...

Compare this info with your experiences and we can continue our investigations from that point.

polonus

Have you been checking out how many new instances of this have occurred in the past two weeks... this is more than coincidence.  Iv had re-direct attempt of DNS in headers (not sure how that is effective but someone is trying) on the Affordable Health Care website in America.  Maybe my advanced security settings (as we found out we are both on the mark with.. no WPS, private SSID's, STRONG WPA2 keys, etc.) is the only thing that let me get a brief glimpse before my PC froze (the freezing was more likely due to the failing hard drive but the header had old school dBase script like I work with).

You know the GOIOD operatiors like "^#~f00" style 

Ill check the information you gave later this week, as Im still working with Sony on an unknown file that appeared on my PS3 during my investigations.  Its in a place that files should be like this one.

Off hand, once again all there is to say...

WE HEARD THRU AVAST FIRST!!!

[UserA789]

This occurred right after coming and posting... not saying its related but its funny. 

Thanks for keeping me safe Avast! as I try to increase safety on the internet in general.

[UserA789]

Moved to own topic. (http://forum.avast.com/index.php?topic=137691.0)

This thread is still for discussing current DNS manipulation attempts.

[UserA789]

Im just curious if my two active posts are related; after further basic testing and outcomes things might be pointing at the original suggestion of Chrome based DNS style exploiting?