December 2008

You are currently browsing the monthly archive for December 2008.

Please read on for an important message to all ResNet users – even if you’ve left Bristol for the Christmas vacation.

Shortly before the end of term we had an outbreak of a nasty virus on ResNet, called DNSChanger. DNSChanger hijacks your Internet settings and redirects your traffic to malicious websites under the control of the attacker. For example, you might think you are going to Google, but actually you are going to a malicious website which will take control of your computer, try to steal your credit card numbers and bombard you with adverts. The virus spreads by passing on malicious configuration information to other computers on the same local network, like ResNet.

Even if you’ve left Bristol, please check now to see if your computer has a problem with this virus:

  1. Click Start (then Run in Windows XP), then type cmd in the box. A black command window should open.
  2. In the black command window type nslookup google.com
  3. Something like the following should be displayed:

Server: newsapphire.resnet.bris.ac.uk

Address: 137.222.223.236

Non-authoritative answer:

Name: google.com

Addresses: 209.85.171.100
72.14.205.100
74.125.45.100

We’re interested in the numbers on the second line (137.222.223.236 in our example). If you are on ResNet then these should start with 137.222 (the range for University of Bristol). If you are at home then they could start with anything.

If the address starts 85.255 then you may have a problem. This is a block of addresses in the Ukraine which the attackers are using. Do this further check:

  • Click Start (then Run in Windows XP), then type ncpa.cpl in the box.
  • Under the LAN or High-Speed Internet section, right-click the Local Area Connection and select Properties.
  • Highlight Internet Protocol Version 4 (for Vista) or Internet Protocol (for XP) and select Properties.
  • Click Advanced…
  • Click the DNS tab

If you saw 85.255 in nslookup but the DNS server addresses box is blank or has other numbers then the good news is that you are not infected (by this particular virus version). You did see 85.255 in nslookup though. This means that another computer on the same local network has passed on the wrong settings and websites you visit may not be what they appear. Shut down your computer and restart it later. Go back to the command prompt and type nslookup google.com – if the 85.255 address has gone you are now OK.

If you have any entries in the DNS server addresses box and they begin with 85.255 then unfortunately the DNSChanger virus is on your computer. Your computer is under remote control and you can’t trust any websites you visit – definitely don’t type in any credit card numbers as these will be monitored and stolen.

The only way to recover from this DNSChanger virus is to wipe and re-install your operating system from the original manufacturer’s CDs. We’ve not found any antivirus tools that can clean the system once infected (some tools do claim to clean DNSChanger, but only work against older versions, not this one). First backup any documents and other important work you need to keep, then follow the manufacturer’s instructions to wipe and reinstall. If you don’t have the original CDs phone the manufacturer – they should send you copies for a small postage charge.

General advice for all ResNet users

Before you come back to Bristol next term, please make sure your anti-virus software and Windows Updates are up-to-date. Go to Control Panel, Security Centre, and make sure everything is marked green.

Find your manufacturers recovery CDs while you are home for Christmas and bring them back to Bristol, just in case you need them.

Generally be suspicious and careful when using the Internet – is this website, email or instant message what it appears to be? If in doubt please ask. You can contact the IT Help Desk 24 hours a day, even over the vacation, on 0117 928 7870.

Update by Mark 18/12/2008

FAQs

Q1)    I have MAC OSX, does this affect my computer?

A1)    In general, OSX is unlikely to be compromised by the DNSChanger as it’s a Windows Virus but it’s possible to be using the rogue DNS servers if they were assigned to you by a compromised computer on your local network.  On ResNet requests to external DNS servers are now blocked so you’ll just have a computer that won’t connect to any web sites, including this one!

It’s a good idea to check your current DNS server settings though:

  • In Finder, click Applications
  • Under Utilities, click Terminal
  • In the Terminal window, type one or both of the commands below until you get some information returned:
  • ipconfig getpacket en0
    or
    ipconfig getpacket en1

  • Look for the domain_name_server ip address. Anything starting 85.255 is bad.

We have just lost all connectivity in Unite House. This is because of a complete power outage affecting all of Unite House. Western power are aware of the problem and are working on a fix.

Power was restored at around 10:43am

2008-12-08: 16:23
We’re currently experiencing a malware outbreak on ResNet.  There are a handful of computers which seem to be infected (possibly with a variant of DNSChanger) which are acting as a fake DHCP servers.  These are handing out the wrong IP addresses to other computers on ResNet. We believe the issue to be similar to the one recently reported on isc.sans.org

We’re actively investigating the issue, and trying to find a way to identify the computers involved so that we can take them off the network.

The malware appears to be most active at Hiatt Baker at the moment, although we have seen related activity from other residences as well.

We will update this post as and when we have more information.

Update 17:40:

We’re not yet certain but we think this is a variation of a Trojan known as DNSChanger, Trojan.Flush.M, from a family of malware called Puper/Zlob. It tries to redirect traffic to fake sites in order to steal your information. We’ve now seen this problem in several different residences. More technical information about this particular trojan is available at TheRegister, McAfee Avert Labs blogand Symantec

There are three ways in which this may cause a problem for you:

  • Your computer may be infected by the trojan, and actively trying to infect others. Your computer is effectively under remote control of someone else. You may notice problems, or may notice nothing at all.
  • Your computer may be clean, but an infected computer on the same network segment acting as a rogue DHCP server may have sent your computer incorrect configuration information. This causes your Internet traffic to be misdirected to fake web sitesin an attempt to steal your passwords and credit card numbers. Your connection may stop working completely.
  • Your computer may be clean and with the correct configuration, but a misconfigured computer on the same network segment has been given the same IP address as yours. This may cause a message from Windows warning about an IP Address Conflict, and your connection may not work or may only work intermittently.

If your computer is infected then the file %Windir%\inf\ndisprot.inf will exist, and a Windows Service called “ArcNet NDIS Protocol Driver” will be running (NB: this is also running legitimately on some computers, but this is rare, so if you see it it is likely that your are infected).

What you need to do: check if you are infected

Press Control+Alt+Delete, Choose Start Task Manager, click the Services tab, click Name to sort the services alphabetically, then look for ArcNet NDIS Protocol Driver in the list.

If you find it then disconnect your computer from the network immediately (unplug the cable or disable the wireless connection). Please contact the Help Desk for further advice, and tell them your computer probably has the DNSChanger Trojan.

What you need to do: if having problems with Internet access

Click Start, (then Run in Windows XP), then type cmd in the box. Type
ipconfig /all
at the command prompt. Look for all occurrences of DNS Servers (you may need to scroll back up to see them all). The DNS Servers should start with 137.222. if any DNS servers start 85. then your computer has been configured to use a rogue DNS Server in an attempt to redirect your traffic.

Your computer may or may not be infected by the trojan itself, but another computer on the same network segment is. Be suspicious as sites may not be what they appear to be, and don’t enter any passwords or credit card numbers into websites.

Shut down and restart your computer – this may help you obtain the correct configuration from the network. Check ipconfig for the DNS Servers again. If the DNS Servers no longer start with 85. and start 137.222 then you are OK for now. If they don’t, then disconnect your computer from the network and try again a few hours later.

What you need to do: If you receive a message about an IP address conflict

Go to MyResNet www.resnet.bristol.ac.uk/myresnet and choose the option to troubleshoot your account. Under connection information, check to see what your currently assigned IP address is. It should start 137.222. Use ipconfig /all at the command prompt (see above) to find out what your IP address or IPv4 address is. If the address is the same then your computer has the correct IP address, but another computer on the same network segment is incorrectly using yours. Disconnect from the network and try again a few hours later.

If the address is completely different and starts 172, don’t worry – these 172 addresses are legitimately assigned at times (for example when first registering for ResNet or if you exceed the fair usage policy).

Update (by Mark): 12/12/2008 @ 16:00

On Monday afternoon blocks were introduced to all external DNS servers on all ResNet networks. This seems to have controlled the outbreak but affected users are unable to access any web sites. We have seen several machines that were affected, discovering DNSChanger rootkits, although we don’t believe that these machines were the root cause of the problem -they are just innocent victims. The only option for affected/infected machines is to rebuild them back to manufacturer defaults.

This malware is particularly difficult to detect unless we have physical access to the affected network segment. We have placed a monitoring system on the most recently infected network segment (Hiatt Baker Hall) in the hope that the problem machine(s) reappear. As we are now on the last day of term it is probable that we won’t see this problem any time soon. It is quite likely that re-registration will be required a the beginning of next term because we can modify the ResNet Security Checker to detect statically configured DNS servers, this being indicative of an infected machine.

Any machines that are currently not working on ResNet are likely to appear fine once connected to your ISP at home (because you won’t have the restrictions that we’ve put in place on ResNet). If you have been infected then you will have a DNS server in the 85 range (see above for details of how to check). If you do have this DNS server range then you cannot trust any site you visit, especially any site that requires personal information such as usernames and passwords. The only current option is to reinstall your operating system.