 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
All,
I've run into this a couple times, now. Once on my work PC (Which is
alarming, but then viruses have been known to run wild at times) and on
my wife's notebook.
My PC is unaffected, so far.
What happens is this: You click on a website (in my wife's case, it was
a result form a google search, in my case, a bookmark to Tor Olav's
website) but instead of the site you were expecting you're redirected to
some bogus virus scanner website, which then tells you you have hundreds
of infected files and to download their "virus scanner", which is
actually a trojan horse, that loads up your computer with all sorts of
malware, then demands you pay for the program to clean your infected
computer.
When this happened to me, I thought perhaps Tor's host closed down and a
rogue took it over. But, I tried a different page on his site, and it
was clean. I tried the original bookmark again ... normal. Weird.
It was the same with my wife's site. She was searching about neck pain,
and followed a link to a legitmate website and got the same thing. It
redirected her to a site of the URL "compuererthreats2.com" (note the
spelling) which began the bogus scan.
My work computer appears clean, according to the eTrust scanner. Her
computer appears clean according to Norton. I see no suspicious
processes running on either computer, and all settings and relevant
registry entries look fine. WTF is happening? Is there something out
there poisoning DNS servers briefly, but randomly, causing this, or is
there a new nasty out there that has hidden itself deeply within my
wife's and my work computers?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Mike Raiford" <mraXXXiford.at.@g1023mail.com> wrote in message
news:4ab8ab30$1@news.povray.org...
> WTF is happening? Is there something out there poisoning DNS servers
> briefly, but randomly, causing this, or is there a new nasty out there
> that has hidden itself deeply within my wife's and my work computers?
don't recall the article/website but I believe it's from some malware/virus
that has redirected your local DNS settings to some spoofed DNS authority.
maybe someone else remembers seeing this article, and can provide more
details.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Holsenback wrote:
> don't recall the article/website but I believe it's from some malware/virus
> that has redirected your local DNS settings to some spoofed DNS authority.
> maybe someone else remembers seeing this article, and can provide more
> details.
Yep. Read that article. Promptly went to my wife's notebook, and did an
ipconfig /all and the domain servers are what they should be.
According to the article I was reading, an infected computer hooks up to
the network, an uninfected computer then hooks up, and sends a DHCP
request, the infected computer then offers itself as a DNS
server...which allows the DNS poisoning.
I'm wondering if its at all possible to slip a poisoned entry into an
ISP's cache.
--
~Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> What happens is this: You click on a website (in my wife's case, it was
> a result form a google search, in my case, a bookmark to Tor Olav's
> website) but instead of the site you were expecting you're redirected to
> some bogus website.
> My work computer appears clean, according to the eTrust scanner. Her
> computer appears clean according to Norton. I see no suspicious
> processes running on either computer, and all settings and relevant
> registry entries look fine. WTF is happening?
http://en.wikipedia.org/wiki/Dns_poisoning
http://en.wikipedia.org/wiki/Pharming
Certainly sounds like you're recieving bad DNS information from
somewhere or other. The question is where it's coming from.
It could be that your PC is compromosed, your ISP's DNS servers are
compromised, your local router... hard to say for sure.
It's certainly not something I've ever seen myself...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
Check it out. A 37-page document, and not *once* do they manage to
correctly use an apostrophy. Nice.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>
> Check it out. A 37-page document, and not *once* do they manage to
> correctly use an apostrophy. Nice.
An online identity of a customer --> A customer's online identity
Online identities of customers --> Customers' online identities
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>>
>> Check it out. A 37-page document, and not *once* do they manage to
>> correctly use an apostrophy. Nice.
>
> An online identity of a customer --> A customer's online identity
> Online identities of customers --> Customers' online identities
These guys seem to take the route of simply not using apostrphies *at
all*, which is arguably more annoying than using them wrong...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 09/22/09 08:49, Invisible wrote:
> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>
> Check it out. A 37-page document, and not *once* do they manage to
> correctly use an apostrophy. Nice.
Apostrophe.
--
I'm not afraid of heights... I'm afraid of depths.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> I'm wondering if its at all possible to slip a poisoned entry into an
> ISP's cache.
It used to be trivially easy. DNS works over UDP, so a DNS server would
send out a request for an address, and when the next server replied, it
would go into the cache - no need to track requests vs replies. "Poisoning"
just consisted of sending replies with bogus answers to servers that hadn't
asked for them.
I don't know how they eliminated that problem.
--
Darren New, San Diego CA, USA (PST)
I ordered stamps from Zazzle that read "Place Stamp Here".
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> It used to be trivially easy. DNS works over UDP, so a DNS server would
> send out a request for an address, and when the next server replied, it
> would go into the cache - no need to track requests vs replies.
> "Poisoning" just consisted of sending replies with bogus answers to
> servers that hadn't asked for them.
>
> I don't know how they eliminated that problem.
Each DNS request apparently has a unique ID. The server is supposed to
disregard any replies containing IDs that do not match any pending requests.
The server is also supposed to disregard any entries in the reply packet
which are not relevant to the query it actually issued. (E.g., look up
hackersoftheworld.com and have your DNS server send back
hackersoftheworld.com = XXX, amazon.com = YYY. The server is supposed to
disregard the second item, since it's unrelated to the actual query.)
Now, whether this is what happens in the field, IDK...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
