64.94.110.11: The VeriSign Hijack

Factual Questions
1

Prologue: I am well aware that this topic will lend itself to angry ranting. As this is GQ, please try to restrain yourself until we’ve answered the question at hand. Once that’s been accomplished, I will request that the thread be moved to the Pit so that spleen may be fully and justifiably vented at the unlubricated corpsefuckers who screwed up my PC (and many other things as well). Thanks in advance for your understanding.

So here’s the scoop.

I come in to work this morning and log onto my machine per the normal routine. Right away I notice that it’s extremely slow; it takes several minutes to get from the logon to a functional desktop. I’m assuming there’s some sort of network latency, as sometimes happens, and that when I finally get into email I’ll find an announcement from the gurus explaining what’s going on.

But no, there’s no announcement. And what’s worse, I can’t touch any of my company’s internal web servers. Not the intranet, not the web apps for batch job management or trouble ticket administration, or anything. Instead, I get a generic-looking message about an “internet server” and “cannot validate name.” My co-worker is not having the same problem. Something about it tickles the back of my mind, but I can’t put a finger on it.

I fire up a command window and try pinging and tracerting the web servers. Instead of the expected path, I get the bottom-most value from my TCP/IP “append suffix” config panel, plus an oddball IP address: 64.94.110.11. Again, I get a tickle, but I can’t place it.

So I go into my network properties and check out the local area TCP/IP settings, and I find that the default, “obtain DNS server address automatically,” has been switched to “use the following” with another oddball address in the “preferred” box. I doublecheck it in the command window with an ipconfig/all, and sure enough, my DNS server value is pointed outside the network instead of where it’s supposed to be, at my company’s internal DNS library. I have no idea how this happened; I certainly didn’t change it.

So I correct the TCP/IP settings, and I do an ipconfig/release and /renew, and like magic, I’m back in business. But I’m still getting that nagging tickle, so I’m off to Google to see if there’s any information on this mysterious 64.94.110.11 value.

And: Oh, right, it’s that. The short version: VeriSign has tweaked name resolution protocols on the web in order to route unknown names to its own site as a means of self-promotion.

The mystery, though, is how my TCP/IP settings got changed. I run my full suite of hack-detection tools; the only thing that comes up is in SpyBot, which identifies a “data source object exploit” located in “internet settings\zones.” There isn’t any additional information available, but it sounds like it might be connected, so I kill it to be on the safe side. Now I just have to eyeball my computer every time I turn it on for the next few days to make sure there isn’t some sort of registry hack hiding somewhere that’s designed to change the settings back to the incorrect values.

I know I didn’t do anything dangerous to expose myself to an obvious hack. I don’t open unusual attachments; I don’t visit websites outside the trusted mainstream; I’m quite scrupulous about immediately enabling and installing all the security patches and virus packs that get pushed to my workstation by our network admins. And yet, somehow, my TCP/IP settings were monkeyed with, and my company web servers were temporarily lost to me as a result.

That’s my question: How?

P.S. Just to repeat, please save your vitriol for the shitsniffers at VeriSign until the question has been fully answered and this thread moved to the Pit. Then you can plow them a new anal fissure to your heart’s content. But not until then, please. Thanks.

2

We’re fighting this problem right now, and because of my computer knowledge I’ve been called off doing a research project to help get some people reconnected.

Let me explain our problem - our problem, as far as I can tell, is that typcially we have numerous telecommuters (like myself) who connect to work via VPN at home. So when they boot up they get their DNS info from their ISP, and then they VPN. Well, what seems to be happening, and we’re not sure exactly why, is that before if someone typed in an intranet URL (such as “mail.company.com”) which was an intranet-only URL, their PC would go to their local ISP DNS, fail, then try the DNS over the VPN connection.

Well, thanks to the Verisign hijack, instead of getting a “not valid” and retry of the second DNS from the ISP, they get redirected to Verisign’s name pimping thingy.

Now me, I fixed it because I know all the IPs and made a hosts. file that got around the issue. However, many people not only can’t do this, they are not “Admins” of XP, and thus are left essentially helpless (we limit average users so much they can’t even update their anti-virus software with Liveupdate even if we are under open attack - is that the dumbest thing you’ve hear today???)

Thus, as a result, I’ve been able to do almost no work all day and have been running around helping these VPs and senior managers, as well as other scientists, to get back in. There has been a lot of lost productivity because of this.

3

Here is the Verisign Statement

This is actually pretty cool. It finds my domain if I mis-type it several ways.

I agree though, too bad they can’t do this for web traffic only and allow pings, tracert, nslookup, etc to fail as usual.

Does this thing handle mis-addressed e-mail too?

4

I just tested it - I get a normal bounce message for a bad e-mail address.

BTW, the Verisign page is not (yet?) advertising anything…

5

E-mails sent to non-existant domains are now given a “temporary error” code, requiring your mail server to keep trying to send the e-mail until it times out. Thus, it can take up to a day before you get a bounce message back, where it used to be instant. This also breaks spam filters that check to see if e-mails are coming from legit domains, as a domain check simply CAN’T fail anymore.

6

I’d like to bounce this inquiry, as I had the problem this morning. I understand the root wildcard business – I want to know how my DNS settings on my machine were changed.

7

Bricker: What was your DNS setting changed to?

Mine was switched to 69.57.146.14, which is owned by the “Everyones Internet” outfit (based in Texas), but the specific DNS server is being managed by somebody, apparently an EI customer, in Yugoslavia.

Perhaps VeriSign isn’t the problem after all. Somebody else might be using their wildcard change (which is stupid and obnoxious in its own right, but not as bad as changing local DNS values) as a way of leveraging some sort of other exploit. For example, there was a thing a few months ago wherein somebody using EI services was placing hidden spamware on people’s machines, which involved a hard-to-detect DNS hack. This certainly sounds similar.

My company’s global security team is looking into this now.

8

Optima Sues VeriSign Over URL Transfer

9

I’d just like to say that this just happened to me, again with a 69...* address. (I didn’t think to record the whole thing, I just remember the first part). I was actually using my computer when it happened, but I didn’t think to check my DNS settings until about 4 hours later. (I should explain that I’m on a college network that regularly goes down, so DNS outages are no stranger to me.)

I have all patches installed, don’t open strange attachments, yada yada yada. I’m no dummy, but how this happened has me stumped.

10

Update: It’s a trojan which can be launched from a webpage via an IE exploit. There’s not yet a patch, which explains why I got screwed over. Aside from changing your DNS settings, it also sets up IE to use a different HOSTS file, which really messed up my ad blocking. :wink:

More info and removal instructions can be found via the Proxomitron forums.

11

Wow, thanks, Hauky.

So now the question becomes, how the hell did I get it? I do very little on the web during the day besides the SDMB. Hmmm…

12

Well, if it’s an IE exploit maybe running IE is your major risk factor. Switch browsers and the problem should improve.

13

Here’s instructions for blocking verisign. There is nothing to remove from your system unlike other browser hijackers but you can block the redirect.

http://www.pcmag.com/article2/0,4149,1274644,00.asp

Verisign’s controversial new SiteFinder service replaces “Cannot find server or DNS error” for missing domain names with results that may point to Verisign partners and now it has spawned a lawsuit by a competitor who alleges that the results could give Verisign and its partners an unfair advantage.

So while the litigation gets going is there no way for you to return your system to its former self. Will every “domain not found” now result in a SiteFinder page? Maybe not. PC Magazine editors sat down this morning and hashed out an interim “fix”. All that’s required is a few simple adjustments to your system.

Start by locating the file named HOSTS (no extension). In Windows 98 and ME, it should be found in the Windows folder. In Windows 2000 and XP, you’ll find it in C:\WINNT\SYSTEM32\DRIVERS\ETC or C:\WINDOWS\SYSTEM32\DRIVERS\ETC. Open the file using Notepad – if it doesn’t exist, create it. Add this line to the file:

127.0.0.1 sitefinder.verisign.com

That blocks the loading of the sitefinder page, but it’s still possible for the site to place a cookie on your system. Launch the Internet Options dialog from Control Panel or from Internet Explorer’s Tools menu and click the Security tab. Click the Restricted Sites icon and click the Sites button. Add http://sitefinder.verisign.com and http://sitefinder-idn.verisign.com to the list and click OK. Make sure that the security level is set to High. If you’re using IE6, click the Privacy tab, click the Edit button, and add those same two URLs to the Block list; you can also block them using a third-party cookie manager.

With these changes, your browser should behave as it did before the Verisign redirection. Depending on your configuration, a non-existent URL will either get an error message or an offer to perform a search. Note that this search offer is local to your system; it is not equivalent to the Verisign redirection.

14

I just wanted to add that I was also hit by this, and to say thanks to Hauky for the link. Even after scanning my computer with TrendMicro’s online tool (in addition to having my regular virus scanner up and running), there were no virii detected. At least with the information Hauky provided, I could clean things up manually.

15

More information from Computer Business Review Online. According to the article, this was a known security hole. Microsoft made an announcement a couple of months ago: fixed by such-and-such a patch. But a couple of weeks ago, they came out again and said, uh, actually, it wasn’t really fixed. Enter new exploit.

The VeriSign connection is merely a coincidence, apparently, based on the fact that the hosts file is modified and the computer is now looking to an external DNS library. There’s an outside chance this was done on purpose, taking advantage of the new VeriSign reroute protocols in order to delay investigators for a little while by making them think it was related to that. Unlikely, though.

Anyway, thanks for the info, plus details on VeriSign blocking, also. —off to clean up PC — grumble grumble—

P.S. My first infection since the Concept virus hit my Mac back in the early 1990s! I feel so special.