53

I've found that some .gov sites are being redirected to a Chinese IP. I have searched across Internet to see if this a known form of malware but I'm unable to find any info. I would like someone guiding me to isolate the infected files and report to AV if applicable.

This is a nslookup resolution from the infected computer:

C:\Users\Alex>nslookup www.whitehouse.gov
Servidor:  google-public-dns-a.google.com
Address:  8.8.8.8

Respuesta no autoritativa:
Nombre:  www.whitehouse.gov
Address:  139.129.57.70

This is a valid response from a Linux computer in the same network:

alex@nas:~$ nslookup www.whitehouse.gov
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
www.whitehouse.gov      canonical name = wildcard.whitehouse.gov.edgekey.net.
wildcard.whitehouse.gov.edgekey.net     canonical name = e4036.dscb.akamaiedge.net.
Name:   e4036.dscb.akamaiedge.net
Address: 104.83.16.193

As you can see something is intervening the DNS requests and redirecting to 139.129.57.70, that is a Chinese IP. I think this computer is infected by some kind of malware made to impersonate as gov sites and leak info.

Any clue about which files may be infected?

user2428118
  • 2,768
  • 16
  • 23
Alex
  • 761
  • 1
  • 6
  • 7
  • 1
    Have you looked at the hosts file for the infected computer? It is quite common for these to be tampered with as a result of malware installation. – DKNUCKLES Nov 21 '17 at 13:38
  • Well, that is something I will do in some days if Im unable to find what is doing this. – Alex Nov 21 '17 at 13:44
  • 5
    may you share tracert 8.8.8.8 result of both linux and windows machine? Also, if you nslookup with another dns server other than Google, is it same? – JackSparrow Nov 21 '17 at 13:55
  • 10
    [Content Delivery Networks](https://en.wikipedia.org/wiki/Content_delivery_network). Look them up. :) – Mark Buffalo Nov 21 '17 at 14:46
  • I'm voting to close this question as off-topic because it is a networking and/or configuration problem and not security-related. – Tobi Nary Nov 21 '17 at 17:20
  • 16
    @SmokeDispenser Technically, it is security-related, given the political implications of why this might exist in the first place. :P – Mark Buffalo Nov 21 '17 at 17:43
  • 4
    Does Mueller know about this? –  Nov 21 '17 at 22:34
  • 1
    Try ipconfig /flushdns and run nslookup again. As Simon mentioned also monitor hosts file and see if any entries are there. – eMarcel Nov 21 '17 at 14:50
  • 9
    @SmokeDispenser The question is whether the OP is experiencing DNS spoofing or not, which seems decidedly security-related to me. That that answer happens to be "No, instead your router was configured incorrectly" doesn't make the question itself not security-related. Also, even if this question were deemed off-topic here, voting to migrate to SuperUser would seem to make more sense than voting to close. – reirab Nov 22 '17 at 08:21
  • 1
    @reirab, in the Stack Exchange software a vote to migrate is a specific type of vote to close as off-topic. You cannot vote to migrate without voting to close. – Peter Taylor Nov 22 '17 at 11:21
  • @PeterTaylor Technically true, but it's a different option ("this question belongs on another site within the StackExchange network," not the "does not fit within the scope defined in the help center" option.) – reirab Nov 22 '17 at 12:57
  • Use `nslookup www.whitehouse.gov.` with a trailing dot to avoid search domains. – eckes Nov 23 '17 at 22:23

3 Answers3

74

Content Delivery Network

This is probably part of a Content Delivery Network with a lot of political issues to consider.

If you try dig www.whitehouse.gov a, underneath the answer section you'll see the following:

www.whitehouse.gov. 131 IN  CNAME   wildcard.whitehouse.gov.edgekey.net.
wildcard.whitehouse.gov.edgekey.net. 731 IN CNAME e4036.dscb.akamaiedge.net.
e4036.dscb.akamaiedge.net. 20   IN  A   23.73.28.110

See the CNAME addresses? Try host -t A www.whitehouse.gov for a better explanation:

www.whitehouse.gov is an alias for wildcard.whitehouse.gov.edgekey.net.
wildcard.whitehouse.gov.edgekey.net is an alias for e4036.dscb.akamaiedge.net.
e4036.dscb.akamaiedge.net has address 23.73.28.110

Do you notice that I'm getting a different IP address than you? Note the wildcard*edge* portion? What is that? It's an edge server which is supposed to be closest to you.

Are you using a VPN on your Linux machine, or Windows Machine? Maybe one that's in Hong Kong, Hangzhou, or somewhere else in East Asia? Maybe your router is configured to use a VPN, or go through TOR?

The IP address you received belongs to Aliyun Computing Co. Ltd, which is part of the Alibaba Cloud/CDN suite.


But wait, how did we we get an Aliyun Cloud/CDN (Alibaba) IP address from Akamai? Aren't they competitors?

Again, are you using a VPN on your Linux machine, or Windows Machine? Maybe one that's in Hong Kong, Hangzhou, or somewhere else in East Asia? Maybe your router is configured to use a VPN, or go through TOR?

Akamai does operate in China, but...

Want to make money in China? You have to follow Beijing's rules. I think we just found something embarrassing for Akamai: in order to operate in China, they were likely forced into a partnership with them.

To do business in China, almost all foreign companies were previously required to hand over control of their intellectual property to a joint Chinese partner to be allowed to operate in the country.

Let's look at the IP you gave us: whois 139.129.57.70 | grep -i 'Ali\|Hangzhou':

netname:        ALISOFT
descr:          Aliyun Computing Co., LTD
descr:          No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
address:        NO.969 West Wen Yi Road, Yu Hang District, Hangzhou
e-mail:         jiali.jl@alibaba-inc.com
address:        No.391 Wen'er Road, Hangzhou City
e-mail:         anti-spam@list.alibaba-inc.com
e-mail:         cloud-cc-sqcloud@list.alibaba-inc.com
address:        Hangzhou, Zhejiang, China
address:        No.391 Wen'er Road, Hangzhou City
e-mail:         guowei.pangw@alibaba-inc.com

In this case, the Akamai partner is likely Alibaba/Aliyun. This allows the Chinese government, if they so desire, to serve malicious content to visitors by way of the CDN.

Every single CDN is, in my opinion, MITM as a service.


Wireshark? You might be doing it wrong.

What if you did have a DNS hijacking/MITM issue of some sort? If you want to use Wireshark, you probably cannot do a packet capture between your router and computer unless the problem exists primarily on your Windows 10 machine. You'd simply be receiving whatever your router provides you with.

If there is no problem with your Windows 10 machine, then using Wireshark on your computer will likely not provide you any meaningful information. What if your router has been compromised?

What you could do is put a switch with port mirroring capabilities between your gateway and your router, and use the port mirror to see what's going on. Or a LAN throwing star. This way, you can see what your router is sending and receiving, and compare that to what Wireshark sees.

muru
  • 364
  • 1
  • 3
  • 14
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • 14
    Well, I'm on Spain, getting the chinese IP as the resolution was what put me in alert status about something was going on. You are right with wireshark. In case of a serius infection that wouldn't have been the right place to see the raw packets. But at least this time it has helped me to see that my computer was asking for www.whitehouse.gov.casa instead of www.whitehouse.gov, then I realised my DNS suffix in my router's DHCPd is .casa (I know now that is not a good practise to put arbitrary names in lan dns suffix). – Alex Nov 21 '17 at 17:03
  • It's also possible that the rest of the CDNs were overloaded/down/having a problem, and you got routed to the nearest possible CDN, although that is somewhat unlikely. – Mark Buffalo Nov 21 '17 at 17:06
  • 6
    Slightly less plausible, but also that IP blocks are bought and sold regularly and whois may not be up to date. – Steve Nov 21 '17 at 18:03
  • @Alex: Nicely done! In the future you can also try putting an extra period after the domain name to do the lookup without the suffix (e.g. `nslookup www.whitehouse.gov.`). – user541686 Nov 21 '17 at 18:05
  • 9
    @Alex This is interesting to me. Did you purchase the router with the `.casa` settings? `gov.casa`, interestingly enough, belongs to a State-Owned Enterprise in China, Alibaba. I would love to investigate this issue if you could provide us with a make/model of the router. – Mark Buffalo Nov 21 '17 at 20:28
  • 4
    @Mark: No, "casa" means "home/house" in spanish. I manually configured that dns suffix long ago for my home lan and never had problems with it until some days ago. Btw my router is a linksys e4200 with a custom firmware that I installed (Tomato RAF) that I've been using for at least 2 years without changing its config. – Alex Nov 21 '17 at 20:51
  • 14
    "MITM as a service" LOL! This sounds almost as useful as [/dev/null as a service](https://devnull-as-a-service.com/). – reirab Nov 22 '17 at 08:28
  • 1
    When you want to offload TLS termination, or DDoS protection, or log processing, or edge caching, to someone else, "MitM as a service" is a very useful thing. ;) As always, you have to make these decisions within a specific threat model, and with large amounts of trust in your partner. It's very similar in many respects to renting server space from a datacenter. – Xiong Chiamiov Nov 22 '17 at 21:47
  • 1
    @XiongChiamiov I agree, I'm just trying to inject humor into this. :-P – Mark Buffalo Nov 22 '17 at 21:53
  • " hand over control of their intellectual property to a joint Chinese partner " is a bit misleading. Companies aren't _forced_ to hand over any tech nor anything like that, but they need to partner up with a local company to be able to operate there. That doesn't mean that you are forced to give your source code or your hardware blueprints to them. It is an administrative rule, not a tech one. I've worked on a lab once that dealt with business with China and we never once had to give them control of any of our research material or patented tech. – T. Sar Nov 23 '17 at 10:35
  • Also, China is already a default market to produce top tech devices, like iPhones, some gaming consoles, a _lot_ of the hardware used in general computing, several types of mass-produced lab equipment, etc. China has a industrial power that several first-world countries don't. They aren't a bad partner as some people love to make they appear to be. – T. Sar Nov 23 '17 at 10:44
  • @T.Sar I'm not sure that's a bit misleading: when you partner up with a local company in China, they will have access to pretty much all your intellectual property. You've essentially handed it over. Numerous companies have experienced the same issue. As for being a bad partner, there are definitely some good partnerships, but not all of them are sunshine and roses. – Mark Buffalo Nov 23 '17 at 16:36
  • @MarkBuffalo When you partner up with anyone, anywhere, they will have access to your IP anyways. This argument boils down to "partnerships are bad", which is silly in itself. Anyone that decides to partner up with a company in the US will have the same issue, but this time with a different flag. Keep in mind that joining forces is different than "handing over control". Access isn't control. – T. Sar Nov 23 '17 at 17:23
  • 2
    @T.Sar I believe there's a big difference between being forced to partner, and choosing to partner. – Mark Buffalo Nov 23 '17 at 17:29
  • @MarkBuffalo Nobody is forced to pick China. If you want to play with them, you need to play by their rules. What is worrysome isn't that China forces you to share. What is worrysome is that giving access of your IP to China is a better option to develop your business than doing so locally. – T. Sar Nov 23 '17 at 17:33
  • 1
    @T.Sar I'm in agreement with you. :) – Mark Buffalo Nov 23 '17 at 19:38
35

Well, I've installed Wireshark and applied a DNS filter to see what was happening. When I do the nslookup from Windows to whitehouse.gov I can see in Wireshark that it is appending (without showing it to me) my home DNS suffix (.casa).

Then I tried from the Linux machine to resolve anything.gov.casa and it resolved to the said Chinese IP.

So I'm pretty sure the problem here is that Windows is shadowly appending my home DNS suffix (.casa) to gov domains. Why it has starting doing this I don't know, this suffix is configured in my tomato RAF router since a lot of years, and this behaviour has starting happening in the last days. Some days ago I entered without problem in jpl.nasa.gov to see some pictures, so this change is very recent.

Maybe the problem is in the .casa TLD that may have gone public in the last days, or some change in a Windows 10 recent update, but definitely not a security related problem.

Thanks all for the advice.

user2428118
  • 2,768
  • 16
  • 23
Alex
  • 761
  • 1
  • 6
  • 7
  • How did you stumble upon the change? Why do you conclude that it has been recent from you being able to visit a valid .gov website? It could come from a reverse proxy and be delivered to you nonetheless there seems to be a DNS mismatch. – Tobi Nary Nov 21 '17 at 16:40
  • Well, I went to my router admin webpage, edited the DNS suffix (it was .casa, I changed to .intranet). Then turned off/on network connection on windows and it is resolving right the gov domains. I know im not doing well by putting a suffix that is not a domain I own, I've read about that. This is just temporary solution and test to see if this def solved the dns resolution behaviour. – Alex Nov 21 '17 at 16:51
  • 2
    Casa is a valid TLD, by the way, since 2014. So this is solely a networking problem – Tobi Nary Nov 21 '17 at 17:17
  • 2
    Yes, and in fact gov.casa isn't new. It was registered in nov 2016. What I dont know if the owner recently added a dns wildcard or thats just a Windows change that made this behaviour to happen now. – Alex Nov 21 '17 at 17:34
  • 23
    Don't invent new fake TLDs. `.lan` is reserved for this purpose; use it. – R.. GitHub STOP HELPING ICE Nov 22 '17 at 05:36
  • 4
    Wildcarding - I bet this wasn't ever a problem in the past, and your router/PC was simply wasting a DNS lookup every time searching for whatever.casa which didn't exist. But now it does. This has caught out my fortune 50 employer too. One solution is to buy your own domain name and use it internally, avoiding anyone else gaining control of it. – Criggie Nov 22 '17 at 20:44
  • @R.. could you clarify which RFC specifies `.lan` TLD a reserved? – AlexD Nov 28 '17 at 14:17
  • @AlexD: First google result for "lan tld" was https://miketelahun.wordpress.com/2012/09/16/stop-using-local-as-the-top-level-domain-for-your-lan/ and it has a comment citing [RFC 2606](https://tools.ietf.org/html/rfc2606) but I don't see any text reserving `.lan` there... So maybe it's widely spread misinformation? I'll continue to look. – R.. GitHub STOP HELPING ICE Nov 28 '17 at 16:26
2

First I would have a look at the C:\Windows\System32\drivers\etc\hosts file, if you find listings for some .gov domains (or others, by default its empty) that should not be listed here.. Then thats why the DNS did not proper work.

From the file itself:

This file contains the mappings of IP addresses to host names

But I also advise you, as Luc said, to reinstall the computer, if there is a virus editing the hosts file (which is only able with admin rights) it could do much worse stuff.

e-sushi
  • 1,296
  • 2
  • 14
  • 41
Simon
  • 29
  • 2
  • 1
    Yes, I checked hosts file before posting. The file has not been modified. In fact, something I've realised is that if I try nslookup with a non existent gov domain (ie. www.dasdasdsadsa.gov) it also resolves to 139.129.57.70 – Alex Nov 21 '17 at 13:45
  • Oh, and also something I've seen is that the resolution takes like 1-2 seconds, it is not immediate, that make me suspect that is not coming from local. – Alex Nov 21 '17 at 13:49
  • 1
    There is something *very* wrong with your computer if (the somewhat misnamed) nslookup is returning entries from your hosts file. – symcbean Nov 21 '17 at 17:04