Again looking at that specific url definitely is malicious in nature with the download of the .exe and the fake codes, trying to see which javascript file is doing the damage accordingly,
If I can figure it I am posting to SANS, Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2008 11:10 AM To: NT System Admin Issues Subject: RE: Major DNS protocol issue effecting most implementations of DNS Looked at the main site, for the Internetsecuritydeluxe and didn't find anything malicious about it in fiddler. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2008 11:01 AM To: NT System Admin Issues Subject: Re: Major DNS protocol issue effecting most implementations of DNS >From what I can tell, boston.com disabled pop-ups yesterday afternoon/evening for a time, but they are back on full power this morning. No pop-ups in FF of course, but IE cant seem to handle supressing them. I leave certain sites open in IE to check for behavior - and this is what I noticed yesterday. On Fri, Jul 11, 2008 at 10:58 AM, Micheal Espinola Jr <[EMAIL PROTECTED]> wrote: > I was never able to determine the originating pop-up. It redirected > the page it popped-up from (boston.com), and then closed itself. The > page it redirected to is this: > > http://internetsecuritydeluxe.com/scanner/scan.php?landid=54&depid=maxc% 5Fisd08&cid=2271&parid=mc%5F1810746031 > > > On Thu, Jul 10, 2008 at 4:29 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: >> You got a copy of the source of that page, that is doing a popup to do >> the re-direct? It might be another SQL injection attack from a few weeks >> ago. >> Z >> >> Edward E. Ziots >> Network Engineer >> Lifespan Organization >> MCSE,MCSA,MCP,Security+,Network+,CCA >> Phone: 401-639-3505 >> >> -----Original Message----- >> From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] >> Sent: Thursday, July 10, 2008 2:08 PM >> To: NT System Admin Issues >> Subject: Re: Major DNS protocol issue effecting most implementations of >> DNS >> >> One of Boston.com's pop-up advertisers is currently redirecting to a >> download. Is it the DNS exploit in action? I dunno, but the timing is >> impeccable - and is exactly what I have been expecting to see. >> >> >> On Thu, Jul 10, 2008 at 12:44 PM, Micheal Espinola Jr >> <[EMAIL PROTECTED]> wrote: >>> Don't just hope. Bring it up as an issue with them. >>> >>> On Thu, Jul 10, 2008 at 10:25 AM, Joe Heaton <[EMAIL PROTECTED]> >> wrote: >>>> Well, I used the tool that was referenced on the site below, and it >>>> seems my upstream name server is susceptible to this problem, so >>>> hopefully they will be patching too. I have already patched my DNS >>>> server, and I'm working on the client side patch now... >>>> >>>> Joe Heaton >>>> -----Original Message----- >>>> From: Ken Schaefer [mailto:[EMAIL PROTECTED] >>>> Sent: Wednesday, July 09, 2008 6:58 PM >>>> To: NT System Admin Issues >>>> Subject: RE: Major DNS protocol issue effecting most implementations >> of >>>> DNS >>>> >>>> And what if the cache of your upstream is a victim of this attack? >> :-) >>>> >>>> So, yes, internally you probably don't have much to fear (unless you >>>> have a malicious employee, or someone else has already come in via >> some >>>> other means and this is a second part of an attack). But you either >> need >>>> to refer back to root servers or upstream DNS servers for other >> zones, >>>> and it's possible that they might be compromised (well, probably not >> the >>>> root servers) >>>> >>>> Cheers >>>> Ken >>>> >>>>> -----Original Message----- >>>>> From: Joe Heaton [mailto:[EMAIL PROTECTED] >>>>> Sent: Thursday, 10 July 2008 2:04 AM >>>>> To: NT System Admin Issues >>>>> Subject: RE: Major DNS protocol issue effecting most implementations >>>> of DNS >>>>> >>>>> So this is pointed more at public name servers, right? Not internal >>>>> DNS? I do our internal stuff, but forward everything else to our >>>> "ISP", >>>>> which is another state agency. >>>>> >>>>> Joe Heaton >>>>> >>>>> -----Original Message----- >>>>> From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] >>>>> Sent: Wednesday, July 09, 2008 8:33 AM >>>>> To: NT System Admin Issues >>>>> Subject: Re: Major DNS protocol issue effecting most implementations >>>> of >>>>> DNS >>>>> >>>>> This blog has a good overview and some relevant info in the comments >>>>> (a lot of bs in there too though): >>>>> >>>>> >>>> >> <http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issu >>>>> e-in-dns-massive-multivendor-patch-released/> >>>>> >>>>> On Wed, Jul 9, 2008 at 11:23 AM, Micheal Espinola Jr >>>>> <[EMAIL PROTECTED]> wrote: >>>>> > Affected systems include both client and server systems [that >>>>> > implement DNS caching and stub resolution], and any other >> networked >>>>> > systems that include this functionality. >>>>> > >>>>> > * US-CERT (TA08-190B) Multiple DNS implementations vulnerable to >>>> cache >>>>> > poisoning - >>>>> > <http://www.us-cert.gov/cas/techalerts/TA08-190B.html> >>>>> > * Microsoft Security Bulletin MS08-037 - >>>>> > >>>>> <http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx> >>>>> > >>>>> > -- >>>>> > ME2 >>>>> > >>>>> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>>> > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>>>> > >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> ME2 >>>>> >>>>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>>> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>>>> >>>>> No virus found in this incoming message. >>>>> Checked by AVG. >>>>> Version: 8.0.101 / Virus Database: 270.4.6/1540 - Release Date: >>>> 7/8/2008 >>>>> 6:33 AM >>>>> >>>>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>>> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>>> >>>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>>> >>>> No virus found in this incoming message. >>>> Checked by AVG - http://www.avg.com >>>> Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: >> 7/9/2008 >>>> 6:50 AM >>>> >>>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>>> >>> >>> >>> >>> >>> -- >>> ME2 >>> >>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>> >> >> >> >> >> -- >> ME2 >> >> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> >> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> > > > > -- > ME2 > -- ME2 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
