Posted on Thursday, November 20th, 2008 | Bookmark on del.icio.us

Rogue DNS Servers on the Move

by Jose Nazario

Based on our internal malcode analysis, we have been able to identify netblocks of “rogue” DNS servers. These servers seem to hand out the correct answer for proper queries, but for typos they hand out a DNS server that *may* be malicious, it’s not clear to me yet. Clearly this is a concern when you have active alterations of something as fundamental as DNS, even when the actor is otherwise perfectly trustworthy.

I’ve gone through a number of our identified rogue DNS servers following the demise of Atrivo and McColo to see where they all point. They all now point to a different network but only a handful of servers. Shown below are some spot tests with truly random garbage thrown at them; normal DNS servers reply with an NXDOMAIN error. The DNS server is on the left hand side and the result for a junk query is on the right.

85.255.112.109 -> 99.198.101.20
85.255.112.109 -> 99.198.101.4
85.255.112.121 -> 99.198.101.20
85.255.112.121 -> 99.198.101.4
85.255.112.123 -> 99.198.101.12
85.255.112.123 -> 99.198.101.20
85.255.112.123 -> 99.198.101.4
85.255.112.130 -> 99.198.101.20
85.255.112.130 -> 99.198.101.4
85.255.112.140 -> 99.198.101.4
85.255.112.16 -> 99.198.101.12
85.255.112.16 -> 99.198.101.20
85.255.112.16 -> 99.198.101.4
85.255.112.186 -> 99.198.101.12
85.255.112.186 -> 99.198.101.20
85.255.112.186 -> 99.198.101.4
85.255.112.205 -> 99.198.101.12
85.255.112.205 -> 99.198.101.4
85.255.112.209 -> 99.198.101.20
85.255.112.209 -> 99.198.101.4
85.255.112.220 -> 99.198.101.12
85.255.112.220 -> 99.198.101.20
85.255.112.238 -> 99.198.101.20
85.255.112.238 -> 99.198.101.4
85.255.112.26 -> 99.198.101.12
85.255.112.26 -> 99.198.101.20
85.255.112.26 -> 99.198.101.4
85.255.112.61 -> 99.198.101.12
85.255.112.61 -> 99.198.101.20
85.255.112.61 -> 99.198.101.4
85.255.112.71 -> 99.198.101.12
85.255.112.71 -> 99.198.101.20
85.255.112.71 -> 99.198.101.4
85.255.112.72 -> 99.198.101.12
85.255.112.72 -> 99.198.101.20
85.255.112.72 -> 99.198.101.4
85.255.113.107 -> 99.198.101.4
85.255.113.91 -> 99.198.101.20
85.255.114.106 -> 99.198.101.12
85.255.114.29 -> 99.198.101.4
85.255.114.53 -> 99.198.101.4
85.255.114.54 -> 99.198.101.4
85.255.114.67 -> 99.198.101.4
85.255.114.75 -> 99.198.101.4
85.255.114.88 -> 99.198.101.4
85.255.115.18 -> 99.198.101.12
85.255.115.236 -> 99.198.101.12
85.255.115.75 -> 99.198.101.12
85.255.116.119 -> 99.198.101.12
85.255.116.67 -> 99.198.101.20
85.255.116.71 -> 99.198.101.20

That second IP per line is actually a fully functional web server. Folks who use these DNS servers as the result of malcode you’ll get Internet connectivity problems, just like this person. Those destination IPs all exist in an ISP named “SingleHop”; this network is otherwise not on my radar at this point, but I’ll have to keep an eye on it due to this suspicious behavior.

This entry was posted on Thursday, November 20th, 2008 at 8:57 pm and is filed under Critical Infrastructure, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses | Add your own



Comment Post by: Liquidmatrix Security Digest » Security Briefing: November 21st — November 21st, 2008 @ 10:06 am EST  Reply

[...] Rogue DNS Servers on the Move | Security to the Core [...]

Comment Post by: Lyrix — November 25th, 2008 @ 6:31 pm EST  Reply

It took me forever to work this out. I’m not particularily an expert on computers, but I had a problem that all searches I made on google redirected me to a phishing website when I clicked a link. Basically, it brought up the right searches, but every link was a phishing link. Eventually I had a problem with my internet and checked my IP Config, and I saw my DNS server was pre-set to “85 . 255 . 112 . 123″. After changing it back to automatic, this no longer happened. It also prevented any Microsoft applications downloading, and also AVG from updating. Nothing malicious, but I wanted to share my personal experience with you about it, because it was annoying.

Comment Post by: Devidas Khurd — December 7th, 2008 @ 5:00 pm EST  Reply

Currently I am facing the same problem with my internet connectivity. I checked my IP config,the DNS server is presetting to 85 . 255 . 112 . 205.I have changed but no use.Still its pre-setting to 85 . 255 . 112 . 205.

Can anyone suggest how to resolve the same problem.

Comment Post by: Sascha — December 9th, 2008 @ 2:48 pm EST  Reply

Hey I have the same shit Problem!!!
The DNS is always on manual….no change to auto possible!
need help

Comment Post by: bayden — December 10th, 2008 @ 4:40 pm EST  Reply

This is malware but removing it as of today is a problem. I have now seen this on 4 PC’s in one office of about 40. My question is, can the internal DNS server be some how populating clients (even if static as I have tested) populating DNS Servers as such - 85.255.113.112.91 and 85.255.113.91. The static setting does have the local DNS server which is 192.168.0.10 and it does not use this address dynamically or statically.

Is this a global threat or vulneralbility with Misrosoft DNS servers?? Is there a way to block any inbound queries?

I’m experiencing same issues as listed above.

Regards,

Comment Post by: ckhown — December 10th, 2008 @ 11:10 pm EST  Reply

Me, also have same problem DNS 85.255.112.61. i have try to set back my original local DNS, but after restart pc, it’s will be automatic set back to 85.255.112.61… anyone know how to kill this thing >

Comment Post by: Prabu — December 12th, 2008 @ 9:23 am EST  Reply

Hi Guys.. I got this trojan too.. please let us know if there is any cure to this.. My system is running very slow becoz of this…cant reinstall computer as this is running very important programs

Leave a Comment