Malware outbreak on ResNet
Slow Internet Response Times (previous) :: Power outage at Unite House (next)
2008-12-08: 16:23
We’re currently experiencing a malware outbreak on ResNet. There are a handful of computers which seem to be infected (possibly with a variant of DNSChanger) which are acting as a fake DHCP servers. These are handing out the wrong IP addresses to other computers on ResNet. We believe the issue to be similar to the one recently reported on isc.sans.org
We're actively investigating the issue, and trying to find a way to identify the computers involved so that we can take them off the network.
The malware appears to be most active at Hiatt Baker at the moment, although we have seen related activity from other residences as well.
We will update this post as and when we have more information.
Update 17:40:
We’re not yet certain but we think this is a variation of a Trojan known as DNSChanger, Trojan.Flush.M, from a family of malware called Puper/Zlob. It tries to redirect traffic to fake sites in order to steal your information. We’ve now seen this problem in several different residences. More technical information about this particular trojan is available at TheRegister, McAfee Avert Labs blogand Symantec
There are three ways in which this may cause a problem for you:
- Your computer may be infected by the trojan, and actively trying to infect others. Your computer is effectively under remote control of someone else. You may notice problems, or may notice nothing at all.
- Your computer may be clean, but an infected computer on the same network segment acting as a rogue DHCP server may have sent your computer incorrect configuration information. This causes your Internet traffic to be misdirected to fake web sitesin an attempt to steal your passwords and credit card numbers. Your connection may stop working completely.
- Your computer may be clean and with the correct configuration, but a misconfigured computer on the same network segment has been given the same IP address as yours. This may cause a message from Windows warning about an IP Address Conflict, and your connection may not work or may only work intermittently.
If your computer is infected then the file %Windir%\inf\ndisprot.inf will exist, and a Windows Service called "ArcNet NDIS Protocol Driver" will be running (NB: this is also running legitimately on some computers, but this is rare, so if you see it it is likely that your are infected).
What you need to do: check if you are infected
Press Control+Alt+Delete, Choose Start Task Manager, click the Services tab, click Name to sort the services alphabetically, then look for ArcNet NDIS Protocol Driver in the list.
If you find it then disconnect your computer from the network immediately (unplug the cable or disable the wireless connection). Please contact the Help Desk for further advice, and tell them your computer probably has the DNSChanger Trojan.
What you need to do: if having problems with Internet access
Click Start, (then Run in Windows XP), then type cmd in the box. Type
ipconfig /all
at the command prompt. Look for all occurrences of DNS Servers (you may need to scroll back up to see them all). The DNS Servers should start with 137.222. if any DNS servers start 85. then your computer has been configured to use a rogue DNS Server in an attempt to redirect your traffic.
Your computer may or may not be infected by the trojan itself, but another computer on the same network segment is. Be suspicious as sites may not be what they appear to be, and don't enter any passwords or credit card numbers into websites.
Shut down and restart your computer - this may help you obtain the correct configuration from the network. Check ipconfig for the DNS Servers again. If the DNS Servers no longer start with 85. and start 137.222 then you are OK for now. If they don't, then disconnect your computer from the network and try again a few hours later.
What you need to do: If you receive a message about an IP address conflict
Go to MyResNet www.resnet.bristol.ac.uk/myresnet and choose the option to troubleshoot your account. Under connection information, check to see what your currently assigned IP address is. It should start 137.222. Use ipconfig /all at the command prompt (see above) to find out what your IP address or IPv4 address is. If the address is the same then your computer has the correct IP address, but another computer on the same network segment is incorrectly using yours. Disconnect from the network and try again a few hours later.
If the address is completely different and starts 172, don't worry - these 172 addresses are legitimately assigned at times (for example when first registering for ResNet or if you exceed the fair usage policy).
Update (by Mark): 12/12/2008 @ 16:00
On Monday afternoon blocks were introduced to all external DNS servers on all ResNet networks. This seems to have controlled the outbreak but affected users are unable to access any web sites. We have seen several machines that were affected, discovering DNSChanger rootkits, although we don’t believe that these machines were the root cause of the problem -they are just innocent victims. The only option for affected/infected machines is to rebuild them back to manufacturer defaults.
This malware is particularly difficult to detect unless we have physical access to the affected network segment. We have placed a monitoring system on the most recently infected network segment (Hiatt Baker Hall) in the hope that the problem machine(s) reappear. As we are now on the last day of term it is probable that we won’t see this problem any time soon. It is quite likely that re-registration will be required a the beginning of next term because we can modify the ResNet Security Checker to detect statically configured DNS servers, this being indicative of an infected machine.
Any machines that are currently not working on ResNet are likely to appear fine once connected to your ISP at home (because you won't have the restrictions that we've put in place on ResNet). If you have been infected then you will have a DNS server in the 85 range (see above for details of how to check). If you do have this DNS server range then you cannot trust any site you visit, especially any site that requires personal information such as usernames and passwords. The only current option is to reinstall your operating system.