4

This malware directs your computer to use DNS servers under control of the badguys. These DNS servers were taken over by the FBI. They were replaced with clean ones, to prevent service disruption, but this taxpayer funded service will be discontinued July 9.

Sites like Google, and dns-ok.us have some way of knowing whether you are infected with the DNS Changer malware, so they can warn you, help you fix the problem so you don't lose internet when July 9 arrives.

Am I correct in assuming that they use the following model to detect this?

  1. The DNS servers the FBI replaced look up the IP address for an example domain. (such as dns-ok.us)
  2. The dns-ok DNS servers know whether or not this is one of those DNS Changeer / FBI replaced servers. If it is, it provides the IP address for infected visitors, otherwise it provides the one for clean visitors.
  3. Using the destination IP address of the incoming request, the web page is able to know whether to show the "you are infected" message.

This would require separate of one of the following for clean vs not clean

  • Separate servers
  • Separate network interfaces (physical or virtual, point is to hold separate IPs)
  • A router with different port forwarding for each of the two (types of) IPs.

Or is there a more elegant solution they are using? Or is FBI cooperation involved?

700 Software
  • 13,807
  • 3
  • 52
  • 82

2 Answers2

3

All of this depends on the DNS resolution. If the request goes through the 'good server', then you will get the green-page. If your settings are bad, you will get the red-page.

You can check your DNS settings by typing ipconfig /all in your command line. Here you can see the list of the bad settings".

To check how it works you could use nslookup.

nslookup dns-ok.us 8.8.8.8 - this one returns Address: 38.68.193.96 and traffic goes through the 'good server'.

nslookup dns-ok.us 64.28.176.0 - this one returns Address: 38.68.193.97 and traffic goes through the 'bad server' (from linked list).

Now type that addresses into your URL bar: http://38.68.193.97 http://38.68.193.96 and compare the results.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
p____h
  • 1,527
  • 7
  • 11
0

Google's and "dns-ok.us" DNS servers can detect queries coming from the bad DNS server IP address (using a "match-client" view in the BIND software). In matching queries, the answers are modified to give an IP address for a webserver showing the warning message, rather than the normal webserver.

For example: dig www.google.com @64.28.176.0 shows:

www.google.com.         334428  IN      CNAME   www.l.google.com.
www.l.google.com.       229     IN      CNAME   www-infected.l.google.com.
www-infected.l.google.com. 226  IN      A       216.239.32.6
Jez
  • 1