Rogue DNS Servers on the Move

By: Jose -

Based on our internal malcode analysis, we have been able to identify netblocks of “rogue” DNS servers. These servers seem to hand out the correct answer for proper queries, but for typos they hand out a DNS server that *may* be malicious, it’s not clear to me yet. Clearly this is a concern when you have active alterations of something as fundamental as DNS, even when the actor is otherwise perfectly trustworthy.

I’ve gone through a number of our identified rogue DNS servers following the demise of Atrivo and McColo to see where they all point. They all now point to a different network but only a handful of servers. Shown below are some spot tests with truly random garbage thrown at them; normal DNS servers reply with an NXDOMAIN error. The DNS server is on the left hand side and the result for a junk query is on the right.

85.255.112.109 -> 99.198.101.20
85.255.112.109 -> 99.198.101.4
85.255.112.121 -> 99.198.101.20
85.255.112.121 -> 99.198.101.4
85.255.112.123 -> 99.198.101.12
85.255.112.123 -> 99.198.101.20
85.255.112.123 -> 99.198.101.4
85.255.112.130 -> 99.198.101.20
85.255.112.130 -> 99.198.101.4
85.255.112.140 -> 99.198.101.4
85.255.112.16 -> 99.198.101.12
85.255.112.16 -> 99.198.101.20
85.255.112.16 -> 99.198.101.4
85.255.112.186 -> 99.198.101.12
85.255.112.186 -> 99.198.101.20
85.255.112.186 -> 99.198.101.4
85.255.112.205 -> 99.198.101.12
85.255.112.205 -> 99.198.101.4
85.255.112.209 -> 99.198.101.20
85.255.112.209 -> 99.198.101.4
85.255.112.220 -> 99.198.101.12
85.255.112.220 -> 99.198.101.20
85.255.112.238 -> 99.198.101.20
85.255.112.238 -> 99.198.101.4
85.255.112.26 -> 99.198.101.12
85.255.112.26 -> 99.198.101.20
85.255.112.26 -> 99.198.101.4
85.255.112.61 -> 99.198.101.12
85.255.112.61 -> 99.198.101.20
85.255.112.61 -> 99.198.101.4
85.255.112.71 -> 99.198.101.12
85.255.112.71 -> 99.198.101.20
85.255.112.71 -> 99.198.101.4
85.255.112.72 -> 99.198.101.12
85.255.112.72 -> 99.198.101.20
85.255.112.72 -> 99.198.101.4
85.255.113.107 -> 99.198.101.4
85.255.113.91 -> 99.198.101.20
85.255.114.106 -> 99.198.101.12
85.255.114.29 -> 99.198.101.4
85.255.114.53 -> 99.198.101.4
85.255.114.54 -> 99.198.101.4
85.255.114.67 -> 99.198.101.4
85.255.114.75 -> 99.198.101.4
85.255.114.88 -> 99.198.101.4
85.255.115.18 -> 99.198.101.12
85.255.115.236 -> 99.198.101.12
85.255.115.75 -> 99.198.101.12
85.255.116.119 -> 99.198.101.12
85.255.116.67 -> 99.198.101.20
85.255.116.71 -> 99.198.101.20

That second IP per line is actually a fully functional web server. Folks who use these DNS servers as the result of malcode you’ll get Internet connectivity problems, just like this person. Those destination IPs all exist in an ISP named “SingleHop”; this network is otherwise not on my radar at this point, but I’ll have to keep an eye on it due to this suspicious behavior.

Comments

  1. It took me forever to work this out. I’m not particularily an expert on computers, but I had a problem that all searches I made on google redirected me to a phishing website when I clicked a link. Basically, it brought up the right searches, but every link was a phishing link. Eventually I had a problem with my internet and checked my IP Config, and I saw my DNS server was pre-set to “85 . 255 . 112 . 123″. After changing it back to automatic, this no longer happened. It also prevented any Microsoft applications downloading, and also AVG from updating. Nothing malicious, but I wanted to share my personal experience with you about it, because it was annoying.

  2. Devidas Khurd 12/07/2008, 5:00 pm

    Currently I am facing the same problem with my internet connectivity. I checked my IP config,the DNS server is presetting to 85 . 255 . 112 . 205.I have changed but no use.Still its pre-setting to 85 . 255 . 112 . 205.

    Can anyone suggest how to resolve the same problem.

  3. Hey I have the same shit Problem!!!
    The DNS is always on manual….no change to auto possible!
    need help

  4. This is malware but removing it as of today is a problem. I have now seen this on 4 PC’s in one office of about 40. My question is, can the internal DNS server be some how populating clients (even if static as I have tested) populating DNS Servers as such – 85.255.113.112.91 and 85.255.113.91. The static setting does have the local DNS server which is 192.168.0.10 and it does not use this address dynamically or statically.

    Is this a global threat or vulneralbility with Misrosoft DNS servers?? Is there a way to block any inbound queries?

    I’m experiencing same issues as listed above.

    Regards,

  5. Me, also have same problem DNS 85.255.112.61. i have try to set back my original local DNS, but after restart pc, it’s will be automatic set back to 85.255.112.61… anyone know how to kill this thing >

  6. Hi Guys.. I got this trojan too.. please let us know if there is any cure to this.. My system is running very slow becoz of this…cant reinstall computer as this is running very important programs

  7. dirt bags got me too. 1. on another machine download Microsoft Windows Defender and the ‘malicious Software removal tool’ to a USB / Pen drive. 2. on the infected machine change your DNS and install the two apps. Run them and you should be right.
    There are other articles on the net for Malware Bytes but I could not get these running with the infection. Windows defender picks up this one but misses plenty more. Tool of choice for this mission