Unidentified Malware detected by DNS resolver behaviour.

Discussion in 'Malware Help (A Specialist Will Reply)' started by burgoslu, Jul 8, 2008.

  1. burgoslu

    burgoslu Private E-2

    I have three PCs and when executing the flushdns + displaydns commands on a clean PC I got the following output:
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    H:\>ipconfig /flushdns

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    H:\>ipconfig /displaydns

    Windows IP Configuration

    1.0.0.127.in-addr.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.127.in-addr.arpa.
    Record Type . . . . . : 12
    Time To Live . . . . : 506625
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record . . . . . : localhost


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 1
    Time To Live . . . . : 506625
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1

    H:\>
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    When executing the same commands on an infected PC I got an output as the following:

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    C:\Documents and Settings\Tracy>ipconfig/flushdns

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    C:\Documents and Settings\Tracy>ipconfig/displaydns

    Windows IP Configuration

    virgiio.it
    ----------------------------------------
    Record Name . . . . . : virgiio.it
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    www.virdgilio.it
    ----------------------------------------
    Record Name . . . . . : www.virdgilio.it
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    www.tuttograatis.it
    ----------------------------------------
    Record Name . . . . . : www.tuttograatis.it
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    liberok.it
    ----------------------------------------
    Record Name . . . . . : liberok.it
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    internet-optimizer.com
    ----------------------------------------
    Record Name . . . . . : internet-optimizer.com
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    spermatrix.com
    ----------------------------------------
    Record Name . . . . . : spermatrix.com
    Record Type . . . . . : 1
    Time To Live . . . . : 603198
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    Etc…

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    I know I see that output because the hosts file contains those entries pointing to the local address (127.0.0.1), and I know that means the PCs are infected by some malware that can not be identified, as none of the Antivus I run (NAV, PANDA, KASPERSKY, etc..) or rootkits detectors (GMER, SOPHOS), etc…seem to detect anything wrong with the PCs, and even reinstalling windows XP without reformatting the hard disk did not fix the problem.

    So I know is a very stealthy malware and that the next step is to reformat the disk and reinstall XP. However there is one notebook which CD drive is kaput and I don’t see how to perform the reformat/reinstallation on that system, so I need help to try to identify this nasty bug and fix it if possible.

    All the PC’s are now power-off and isolated from internet, and I prefer to keep them that way as much as possible, until I have fix them and verified that they are clean.

    I have seen those DNS entries reported on other forums but I don’t seem to find any indication of the malware that is causing them. Any idea ?.

    Thanks.
     
    burgoslu, Jul 8, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcomt to Major Geeks!

    It's not malware. It is just due to thse entries being in the hosts file. This is normal behavior. For example, go add the below to your hosts file

    127.0.0.1 chaslang.com

    Now run the same command and notice that you will see this new entry in your displaydns output. ;) Now delete the new entry and flushdns and then displaydns and see that it is gone.
     
    chaslang, Jul 8, 2008
    #2
  3. burgoslu

    burgoslu Private E-2

    That is not normal behaviour.

    Of the 8000+ entries that I had on the host file pointing to 127.0.0.1 only a few of them appear on the displaydns output. Usually very similar ones which are know malware sites.

    This is caused by some kind of malware trying to connect to those sites.

    Although I have not identified the exact Trojan, this is most likely what is happening:

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Troj/Torpig-BF monitors network activity for submissions to one of several banking sites, in order to steal account details. The Trojan also searches local disks for passwords for to email accounts and similar. Any details obtained in this manner are submitted to a remote attacker using HTTP POST.

    The Trojan runs a proxy server on a randomly-chosen TCP port between 1000 and 10000, allowing a remote attacker to route TCP or HTTP traffic through the infected computer.
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     
    burgoslu, Jul 9, 2008
    #3
  4. burgoslu

    burgoslu Private E-2

    By the way I first notice this because I have enabled that my PC blocks any user access for a long time after 3 login failures. And then when I proceed to shut it down it advised me to confirm the shutdown since there was a remote connection running.

    So I know something/somebody was trying to connect to it. Weather they success or not I cannot tell. But that it has been attacked that I can guarantee you.
     
    burgoslu, Jul 9, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you try adding 127.0.0.1 chaslang.com to your hosts file and didn't you notice that it will show up when you displaydns? It is not being added by malware. Not all of the lines in your hosts file will show up when you do a display. Only some of them including the ones you listed. I can easily demonstrate this on any of my PCs right now just by adding in a huge hosts file from Spybot and then doing a displaydns. All of the items you mentioned will show and more. See the quote box below which shows my output after added a Spybot hosts file. But not all 8000. I believer is may be related to which exist and which do not.

    Here is my output from displaydns after adding the host file entries from Spybot
    Code:
    C:\Documents and Settings\charlie>ipconfig /displaydns
Windows IP Configuration
         virgiio.it
         ----------------------------------------
         Record Name . . . . . : virgiio.it
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.virdgilio.it"]www.virdgilio.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.virdgilio.it"]www.virdgilio.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.tuttograatis.it"]www.tuttograatis.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.tuttograatis.it"]www.tuttograatis.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.rosaoalice.it"]www.rosaoalice.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.rosaoalice.it"]www.rosaoalice.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         paginegialler.it
         ----------------------------------------
         Record Name . . . . . : paginegialler.it
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         liberok.it
         ----------------------------------------
         Record Name . . . . . : liberok.it
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.l8bero.it"]www.l8bero.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.l8bero.it"]www.l8bero.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.errari.it"]www.errari.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.errari.it"]www.errari.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.corroiere.it"]www.corroiere.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.corroiere.it"]www.corroiere.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.corrieere.it"]www.corrieere.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.corrieere.it"]www.corrieere.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.mylimewirenetwork.com"]www.mylimewirenetwork.com[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.mylimewirenetwork.com"]www.mylimewirenetwork.com[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.download-all-area.com"]www.download-all-area.com[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.download-all-area.com"]www.download-all-area.com[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         de98.remsys.org
         ----------------------------------------
         Record Name . . . . . : de98.remsys.org
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.justcount.net"]www.justcount.net[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.justcount.net"]www.justcount.net[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.searchfromyourbrowser.net"]www.searchfromyourbrowser.net[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.searchfromyourbrowser.net"]www.searchfromyourbrowser.net[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.adtrak.net"]www.adtrak.net[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.adtrak.net"]www.adtrak.net[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         spywarebot-t.com
         ----------------------------------------
         Record Name . . . . . : spywarebot-t.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.axemediasoftware.com"]www.axemediasoftware.com[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.axemediasoftware.com"]www.axemediasoftware.com[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         internet-optimizer.com
         ----------------------------------------
         Record Name . . . . . : internet-optimizer.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.energy-factor.com"]www.energy-factor.com[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.energy-factor.com"]www.energy-factor.com[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         httpwwwads.com
         ----------------------------------------
         Record Name . . . . . : httpwwwads.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         spermatrix.com
         ----------------------------------------
         Record Name . . . . . : spermatrix.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         spy-bot.com
         ----------------------------------------
         Record Name . . . . . : spy-bot.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.virgklio.it"]www.virgklio.it[/URL]
         ----------------------------------------
         Record Name . . . . . : [URL="http://www.virgklio.it"]www.virgklio.it[/URL]
         Record Type . . . . . : 1
         Time To Live  . . . . : 584240
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1
 
         [URL="http://www.roogle.it"]www.roogle.it[/URL]
         ----------------------------------------
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1

    The below will help us find out if you have malware issuse. It will easily detect Torpig if it exists.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide
     
    Last edited: Jul 10, 2008
    chaslang, Jul 10, 2008
    #5
  6. burgoslu

    burgoslu Private E-2

    OK, I'll do as you said. But I am starting to feel sick with flu today, so it might be a few days before I post the results. It might trully be as you said regarding the DNS resolver, but I'll also do some testing on a reformatted system and I'll let you know the results.

    Thanks for the help.
     
    burgoslu, Jul 10, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is for sure. I already know this which is why I stated in my first message to you that it was not malware. I'm just showing you a way to prove it to yourself. You can add your hosts file to 20 different PCs and you will see the same end result that you had with your PC.
     
    chaslang, Jul 10, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds