(OT for uk.legal - but may be of interest)

You may have seen the following article:

A flaw in the way the Internet works has prompted the "largest
security update" in the history of the web, and fears of millions of
people remaining exposed to criminals and malicious hackers.

http://www.guardian.co.uk/technology/2008/jul/10/hacking.internet

NB : "Although there is no evidence of the bug being exploited by
hackers,"

I am not convinced that the "no evidence" is correct - but I can
understand why no-one would want to admit to being affected by it.

Ten days before this article came out - the following happened:

A relative uses a major bank.
He noticed that after the first page of on-line banking (after he had
input his account number and sort code) - he went to a page which was
asking him for his security details in a different way from normal.

He phoned me
I asked if he had clicked on a link to go to the site - he hadn't.
I asked him if he had the link as a favourite - he hasn't.
He actually types in the url of the online bank in to his browser.
I asked him to take a screen capture and send to me.
I told him to run his (up to date) virus checker - and other mal-ware
applications.
He did - nothing found

I told him to speak to his bank and tell them.
The online help desk just told him that he must have a virus - he told
them he had run his up to date virus checker - they said not their
problem.

I phoned up help desk and said that this problem had happened to me -
they gave me the same story.
I insisted that they escalated the call - this they did - the
supervisor said that they knew of no problem.  I insisted on
escalating call to someone in "security" - they said they couldn't.
I told them I was not going to go away  - and I would close my account
if they did not do so.
Eventually I was escalated to "security" which I think was a technical
rather than security department.

I explained "my" problem.  (I am quite IT literate so was able to
discuss sensibly).  Eventually the guy admitted that a "small" number
of their customers in certain areas were affected in this way !!!!! (I
assume "small" being the number that they knew about.)
I discussed possibility of the problem being on the ISP's DNS machine
rather than the bank's.  He said they were looking at this.  He told
me to get my relative  to ring back.

They have been looking at the problem for a few days.
One day last week the bank spent all day on the phone with my relative
- telling him what to do, sending him links to programmes to run - him
sending reports and screen shots back to them.  (The problem is
repeatable via his machine).

Nothing found.

He has a job to do - he has installed Firefox - no problems - he gets
on with his job - lets hope the bank and ISP get on with their's.

judith wrote:
> (OT for uk.legal - but may be of interest)
>
> You may have seen the following article:
>
> A flaw in the way the Internet works has prompted the "largest
> security update" in the history of the web, and fears of millions of
> people remaining exposed to criminals and malicious hackers.
>
> http://www.guardian.co.uk/technology/2008/jul/10/hacking.internet
>
> NB : "Although there is no evidence of the bug being exploited by
> hackers,"
>
> I am not convinced that the "no evidence" is correct - but I can
> understand why no-one would want to admit to being affected by it.
>
> Ten days before this article came out - the following happened:
>
> A relative uses a major bank.
> He noticed that after the first page of on-line banking (after he had
> input his account number and sort code) - he went to a page which was
> asking him for his security details in a different way from normal.
>
> He phoned me
> I asked if he had clicked on a link to go to the site - he hadn't.
> I asked him if he had the link as a favourite - he hasn't.
> He actually types in the url of the online bank in to his browser.
> I asked him to take a screen capture and send to me.
> I told him to run his (up to date) virus checker - and other mal-ware
> applications.
> He did - nothing found
>
> I told him to speak to his bank and tell them.
> The online help desk just told him that he must have a virus - he told
> them he had run his up to date virus checker - they said not their
> problem.
>
> I phoned up help desk and said that this problem had happened to me -
> they gave me the same story.
> I insisted that they escalated the call - this they did - the
> supervisor said that they knew of no problem.  I insisted on
> escalating call to someone in "security" - they said they couldn't.
> I told them I was not going to go away  - and I would close my account
> if they did not do so.
> Eventually I was escalated to "security" which I think was a technical
> rather than security department.
>
> I explained "my" problem.  (I am quite IT literate so was able to
> discuss sensibly).  Eventually the guy admitted that a "small" number
> of their customers in certain areas were affected in this way !!!!! (I
> assume "small" being the number that they knew about.)
> I discussed possibility of the problem being on the ISP's DNS machine
> rather than the bank's.  He said they were looking at this.  He told
> me to get my relative  to ring back.
>
> They have been looking at the problem for a few days.
> One day last week the bank spent all day on the phone with my relative
> - telling him what to do, sending him links to programmes to run - him
> sending reports and screen shots back to them.  (The problem is
> repeatable via his machine).
>
> Nothing found.
>
> He has a job to do - he has installed Firefox - no problems - he gets
> on with his job - lets hope the bank and ISP get on with their's.

You've probably already tried this, but it's worth checking anyway.
Have you, or has he checked his hosts and lmhosts files?

As the problem is reproducable on his system, but not on every computer that 
accesses the banks site, it suggests that the problem is definitely on his 
computer somewhere.

The Hosts files are usually to be cound in C:\windows\system32\drivers\etc
These files define where selected domains and IP addresses are redirected 
to.
Changing these files won't flag anything up on an antivirus sweep. They need 
to be checked manually.

Reallistically speaking, these files only need one line in them....
127.0.0.1 localhost

Anything other than that could potentially be causing the problem.
Just reset the file to read "127.0.0.1 localhost" and check to see if the 
problem persists.

On Mon, 21 Jul 2008 11:06:45 +0100, "\(used to be\) Fat Sam"
 wrote:

<snip>


>You've probably already tried this, but it's worth checking anyway.
>Have you, or has he checked his hosts and lmhosts files?

I have not checked it - I was not aware that it could be that in this
context - I will ask him if the Bank asked him to check

>As the problem is reproducable on his system, but not on every computer that 
>accesses the banks site, it suggests that the problem is definitely on his 
>computer somewhere.
 

I would suggest that "the problem" could be on the ISP's DNS server at
the point where he joins their network - and that it does need
particular circumstances to trigger it - which may be peculiar to his
(and some other) machine(s).

I do not think that the bank would have spent time on trying to
resolve an issue on a customer's machine - certainly not all day - and
saying do this, send us that, what does that say now, look for this
and that  if they did not think that it was a more serious problem  -
and not juts his machine.  They would have washed their hands of it
and told him to get his PC seen to by an expert!!


>The Hosts files are usually to be cound in C:\windows\system32\drivers\etc
>These files define where selected domains and IP addresses are redirected 
>to.

Are you saying that if you type in a url to the browser - then you can
be redirected to a different url - but that which you type in will
appear in the browser address bar.

Would a problem like this effect Firefox as well? - you seem to imply
it is more of a configuration problem than anything nasty.

I have never heard of that before - are you sure?  (I must admit I do
doubt it).

I will have a look for info on this myself - but any pointer to
relevant information would be appreciated

(If that is what it  is then I would have hoped that the Bank's
technical department would be aware of it)

On Mon, 21 Jul 2008 15:30:29 +0100, judith 
wrote:

>>The Hosts files are usually to be cound in C:\windows\system32\drivers\etc
>>These files define where selected domains and IP addresses are redirected 
>>to.
>
>Are you saying that if you type in a url to the browser - then you can
>be redirected to a different url - but that which you type in will
>appear in the browser address bar.
>
>Would a problem like this effect Firefox as well? - you seem to imply
>it is more of a configuration problem than anything nasty.
>
>I have never heard of that before - are you sure?  (I must admit I do
>doubt it).

Normally a computer will access a DNS server to find the IP address of
a URL.   You can however override that by entering the URL and desired
IP address in the "hosts" file on your PC.  This will cause *all*
programs to skip looking up the IP address by accessing a DNS server,
and instead using the IP address manually entered in the "hosts" file.
That file will normally contain only one entry - the URL "local" is
tied to IP address 127.0.0.1

There are legitimate reasons for having URLs in your "hosts" file.
Maybe you run a server on your computer, for example, which people can
access via your external IP address which you have registered with a
DNS server.  You would configure your router to direct packets of the
appropriate protocol coming into that address to the *local* IP
address of your PC.  But any PC that is on your local network will not
be able to access your server via the external address, but needs to
use the local address instead, which the DNS server does not know.  So
you put the URL and local address of your server into all "hosts"
files of computers on your local network, and it will all work fine.

Or you might want to be able to access other PCs on your network by
name instead of their IP address, so you associate names with their IP
addresses in your "hosts" file.  My router, for example, is associated
in my hosts file with the URL "router".  So I can access it by putting
the word "router" into the browser bar or telnet session and do not
need to remember its IP address.

Malicious programs exploit the "hosts" file by putting in entries for
the URL they want to hijack (banks, anti-virus sites etc) and
associating it with the IP address of their spoofing server, or (in
the case of antivirus sites) an IP address that will not work, so any
access to the antivirus site will be met with a connection error.

The easiest way to prevent such an attack is to make the "hosts" file
read-only.

-- 
Cynic

judith wrote:
> On Mon, 21 Jul 2008 11:06:45 +0100, "\(used to be\) Fat Sam"
>  wrote:
>
> <snip>
>
>
>> You've probably already tried this, but it's worth checking anyway.
>> Have you, or has he checked his hosts and lmhosts files?
>
> I have not checked it - I was not aware that it could be that in this
> context - I will ask him if the Bank asked him to check
>
>> As the problem is reproducable on his system, but not on every
>> computer that accesses the banks site, it suggests that the problem
>> is definitely on his computer somewhere.
>
>
> I would suggest that "the problem" could be on the ISP's DNS server at
> the point where he joins their network - and that it does need
> particular circumstances to trigger it - which may be peculiar to his
> (and some other) machine(s).

This could be teh case, I agree.
But I would have thought a lot more people wouldbe reporting the issue if it 
was anything to do with the ISP's DNS routing.
I'm still fairly confident that this sounds like the hosts file - although 
I'm not being closed minded about it.

> I do not think that the bank would have spent time on trying to
> resolve an issue on a customer's machine - certainly not all day - and
> saying do this, send us that, what does that say now, look for this
> and that  if they did not think that it was a more serious problem  -
> and not juts his machine.  They would have washed their hands of it
> and told him to get his PC seen to by an expert!!

They may not even be aware of this as an option.
The chaps in the callcentre might be working to a formulaic checklist of 
flowchart.

>> The Hosts files are usually to be cound in
>> C:\windows\system32\drivers\etc These files define where selected
>> domains and IP addresses are redirected to.
>
> Are you saying that if you type in a url to the browser - then you can
> be redirected to a different url - but that which you type in will
> appear in the browser address bar.

That would edepend on what has been set up on the server that the hosts file 
has redirected you to. But if the malicious coder is a switched-on cookie, 
then it's entirely possible.

> Would a problem like this effect Firefox as well?

Yes.

> - you seem to imply
> it is more of a configuration problem than anything nasty.

In my experiences, the symptoms of a viral infection often turn out to be 
configuration problems.
However, in this case, I'm not suggesting it's a configuration problem.
For the Hosts file to have become altered so that it redirects the banks 
domain to a malicious site, someone must have made a conscious effort to do 
that.
So it would appear that someone has either accessed his system, or managaed 
to remotely execute some code on his computer.
Either way, it's a security breach. Not necessarily his fault, but worth 
being aware of so precautions can be taken in future.

> I have never heard of that before - are you sure?  (I must admit I do
> doubt it).

I'm still putting my money on this being the answer.

> I will have a look for info on this myself - but any pointer to
> relevant information would be appreciated

http://en.wikipedia.org/wiki/Hosts_file#Malicious_use_of_redirection

> (If that is what it  is then I would have hoped that the Bank's
> technical department would be aware of it)

In my experience, telephone help desks and tech departments for big 
companies just work of a cheklist or flowchart.
If condition A is met then proceed to B
If condition B is met then proceed to C
Present them with something that's not on their checklist and they flounder.

On Mon, 21 Jul 2008 15:30:29 +0100, judith wrote:

<snip>

> Are you saying that if you type in a url to the browser - then you can
> be redirected to a different url - but that which you type in will
> appear in the browser address bar.

Try googling for 'hosts' file. There are lots of entries for it. 


-- 
the dot wanderer at tesco dot net

On Mon, 21 Jul 2008 16:18:57 +0100, Cynic 
wrote:

>On Mon, 21 Jul 2008 15:30:29 +0100, judith 
>wrote:
>
>>>The Hosts files are usually to be cound in C:\windows\system32\drivers\etc
>>>These files define where selected domains and IP addresses are redirected 
>>>to.
>>
>>Are you saying that if you type in a url to the browser - then you can
>>be redirected to a different url - but that which you type in will
>>appear in the browser address bar.
>>
>>Would a problem like this effect Firefox as well? - you seem to imply
>>it is more of a configuration problem than anything nasty.
>>
>>I have never heard of that before - are you sure?  (I must admit I do
>>doubt it).
>
>Normally a computer will access a DNS server to find the IP address of
>a URL.   You can however override that by entering the URL and desired
>IP address in the "hosts" file on your PC.  This will cause *all*
>programs to skip looking up the IP address by accessing a DNS server,
>and instead using the IP address manually entered in the "hosts" file.
>That file will normally contain only one entry - the URL "local" is
>tied to IP address 127.0.0.1
>
>There are legitimate reasons for having URLs in your "hosts" file.
>Maybe you run a server on your computer, for example, which people can
>access via your external IP address which you have registered with a
>DNS server.  You would configure your router to direct packets of the
>appropriate protocol coming into that address to the *local* IP
>address of your PC.  But any PC that is on your local network will not
>be able to access your server via the external address, but needs to
>use the local address instead, which the DNS server does not know.  So
>you put the URL and local address of your server into all "hosts"
>files of computers on your local network, and it will all work fine.
>
>Or you might want to be able to access other PCs on your network by
>name instead of their IP address, so you associate names with their IP
>addresses in your "hosts" file.  My router, for example, is associated
>in my hosts file with the URL "router".  So I can access it by putting
>the word "router" into the browser bar or telnet session and do not
>need to remember its IP address.
>
>Malicious programs exploit the "hosts" file by putting in entries for
>the URL they want to hijack (banks, anti-virus sites etc) and
>associating it with the IP address of their spoofing server, or (in
>the case of antivirus sites) an IP address that will not work, so any
>access to the antivirus site will be met with a connection error.
>
>The easiest way to prevent such an attack is to make the "hosts" file
>read-only.


excellent - good explanation - thanks

On Mon, 21 Jul 2008 17:37:28 +0100, "\(used to be\) Fat Sam"
 wrote:

<snip>

Thanks for comments:

as you will have seen Cynic has also given me a good explanation of
hosts.

It was not actually the call centre who I spoke with - it was some
levels removed - and I did have a sensible conversation with the guy.

I could imagine something in the DNS which every 1000 requests  for a
particular bank pushes it to phishing site - and then sits quiet again
- it could be very difficult to find.

The most worrying aspect I thought was that the actual URL as typed in
appeared in the browser - and then the phishing site had the "correct"
url in the browser.

He has installed Firefox - and the problem has disappeared!!

All of the stuff which  the bank asked him to run found nothing.

All cookies seemed to be OK.

judith wrote:
> On Mon, 21 Jul 2008 17:37:28 +0100, "\(used to be\) Fat Sam"
>  wrote:
>
> <snip>
>
> Thanks for comments:
>
> as you will have seen Cynic has also given me a good explanation of
> hosts.
>
> It was not actually the call centre who I spoke with - it was some
> levels removed - and I did have a sensible conversation with the guy.
>
> I could imagine something in the DNS which every 1000 requests  for a
> particular bank pushes it to phishing site - and then sits quiet again
> - it could be very difficult to find.
>
> The most worrying aspect I thought was that the actual URL as typed in
> appeared in the browser - and then the phishing site had the "correct"
> url in the browser.
>
> He has installed Firefox - and the problem has disappeared!!
>
> All of the stuff which  the bank asked him to run found nothing.
>
> All cookies seemed to be OK.

Will be interesting to see what turns up when he checks the hosts file.
Good to know that the problem has been resolved. It's a very graphic 
illustration of the importance of constant vigilance when visiting secure 
sites.

"judith"  wrote in message
news:a7h984tsln2906ft2143ld67hpsi292390@4ax.com...
> >Malicious programs exploit the "hosts" file by putting in entries for
> >the URL they want to hijack (banks, anti-virus sites etc) and
> >associating it with the IP address of their spoofing server, or (in
> >the case of antivirus sites) an IP address that will not work, so any
> >access to the antivirus site will be met with a connection error.
> >
> >The easiest way to prevent such an attack is to make the "hosts" file
> >read-only.
>
>
> excellent - good explanation - thanks

It's worth downloading HijackThis, it's a well known and trusted free utility
which scans the hosts files, IE plugins, autoloading programs and loads of other
potential hijacks of your system.

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Trouble is it doesn't tell you what's good or bad, it just tells you what's
there. Anything you're not sure of you can check here:

http://www.castlecops.com/HijackThis.html

DON'T tick the boxes next to any item unless you are sure it's bad/not required
otherwise you can totally screw the system. Use the above guide, or post the log
on the HJT forum on the site.

--
Andy

On Mon, 21 Jul 2008 16:18:57 +0100, Cynic 
wrote:

>Normally a computer will access a DNS server to find the IP address of
>a URL.   You can however override that by entering the URL and desired
>IP address in the "hosts" file on your PC.  This will cause *all*
>programs to skip looking up the IP address by accessing a DNS server,
>and instead using the IP address manually entered in the "hosts" file.
>That file will normally contain only one entry - the URL "local" is
>tied to IP address 127.0.0.1
>
>There are legitimate reasons for having URLs in your "hosts" file.

In the interests of technical accuracy and to avoid confusion, perhaps
I may just clarify some terminology.

A URL (Uniform Resource Locator) is a combination of a "scheme" or
protocol identifier and a host name, such as http://www.bbc.co.uk.
"http:" is the scheme and "www.bbc.co.uk" is the host name.

It's host names that are put in the "hosts" file, not URLs.  It's
worth making the distinction in case someone tries to put a URL in the
hosts file - which won't work.

Mike.

On Mon, 21 Jul 2008 20:41:15 +0100, "Andy Pandy"
<spam8times@wonderful.spam.invalid> wrote:

>
>"judith"  wrote in message
>news:a7h984tsln2906ft2143ld67hpsi292390@4ax.com...
>> >Malicious programs exploit the "hosts" file by putting in entries for
>> >the URL they want to hijack (banks, anti-virus sites etc) and
>> >associating it with the IP address of their spoofing server, or (in
>> >the case of antivirus sites) an IP address that will not work, so any
>> >access to the antivirus site will be met with a connection error.
>> >
>> >The easiest way to prevent such an attack is to make the "hosts" file
>> >read-only.
>>
>>
>> excellent - good explanation - thanks
>
>It's worth downloading HijackThis, it's a well known and trusted free utility
>which scans the hosts files, IE plugins, autoloading programs and loads of other
>potential hijacks of your system.
>
>http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
>
>Trouble is it doesn't tell you what's good or bad, it just tells you what's
>there. Anything you're not sure of you can check here:
>
>http://www.castlecops.com/HijackThis.html
>
>DON'T tick the boxes next to any item unless you are sure it's bad/not required
>otherwise you can totally screw the system. Use the above guide, or post the log
>on the HJT forum on the site.


Thanks for suggestion - it has already been run - nothing found :-(

On Mon, 21 Jul 2008 15:30:29 +0100, judith 
wrote:

>Are you saying that if you type in a url to the browser - then you can
>be redirected to a different url - but that which you type in will
>appear in the browser address bar.

Just to explain this in a slightly different way from the other
contributions:

Computers communicate across the Internet by means of IP addresses, a
series of numbers such as 212.58.253.67.  That, by the way, is the IP
address of the BBC's Web server.  Names, such as www.bbc.co.uk, are
used for the benefit of humans, who find names easier to remember than
numbers.

A name such as www.bbc.co.uk, which may appear in a URL, always has to
be translated into an IP address before a Web browser can start
talking to the distant computer.  That translation is usually
performed in the background by a DNS server, which knows how to
convert a name into the corresponding IP address.  But the translation
can also be performed by (for example) a "hosts" file on the PC.

If, to give an example, you were to put a line in your hosts file
reading:

66.102.9.104 www.bbc.co.uk

and then point a Web browser, such as Internet Explorer or Firefox, to
http://www.bbc.co.uk, your Web browser will display Google's home
page, not the BBC's, because 66.102.9.104 is an IP address for
www.google.co.uk !

Mike.

judith wrote:

> They have been looking at the problem for a few days.
> One day last week the bank spent all day on the phone with my relative
> - telling him what to do, sending him links to programmes to run - him
> sending reports and screen shots back to them.  (The problem is
> repeatable via his machine).
> 
> Nothing found.
> 
> He has a job to do - he has installed Firefox - no problems - he gets
> on with his job - lets hope the bank and ISP get on with their's.

The bug is related to DNS, which means that someone could change the DNS
entry for your bank's website, and redirect the browser to their website,
rather than the bank.

This would happen regardless of which browser or operating system you were
using as the attack isn't taking place on your computer.

However, if this was to happen, the website security certificate wouldn't
match, and the browser would display a warning.  To hide the warning, the
attacker would either need to get into the bank's computer to steal the
private key, in which case all bets are off anyway and they wouldn't need
to attack the DNS server, or break into your computer to change your public
key store or your browser settings to disable the warning, in which case
all bets are off and they wouldn't need to attack the DNS server.

judith wrote:

> He has installed Firefox - and the problem has disappeared!!

If it was a DNS issue, it would affect Firefox in the same way that affects
ie.

On Mon, 21 Jul 2008 18:30:47 +0100, judith 
wrote:

>He has installed Firefox - and the problem has disappeared!!

In which case, I suggest that it's unlikely that this problem is
caused by a rogue entry in the hosts file, because that would affect
all Web browsers equally.

More likely is some malware that has modified the action of Internet
Explorer and is intercepting network calls made by that Web browser.

It's been suggested that the ISP's DNS server could be to blame.
That's possible but unlikely.  There's an easy way of checking whether
the local DNS server is returning correct information:

In Windows, click Start -> Run, type "cmd" without the quotes and
press ENTER.  A black window will appear.  In that window, type
"nslookup www.parliament.uk" (for example), again without the quotes.
That command asks the DNS server for the IP address of
www.parliament.uk and the answer will be displayed in the black
command box (as 194.60.38.75)

Then go to one of the Web sites that offers a DNS service, such as
http://www.lookupserver.com, and ask it for the IP address of
www.parliament.uk (for example).  If they match, the ISP's DNS server
is returning the correct result.

(There's one complication though: high-traffic sites often have many
Web servers, sometimes with a range of IP addresses, behind one name,
so different results from nslookup and a Web DNS server need to be
interpreted with caution.)

Mike.

> Will be interesting to see what turns up when he checks the hosts file.

I'm not an expert on the subject, but I strongly expect the hosts file 
to be "normal".

There's a good chance his ISP has a poisoned DNS cache though, and it 
might be possible to check with the DoxPara link:

http://www.doxpara.com/

Click the link on the right hand side, and wait for a while - it may 
require several attempts (it did the first time I tried it)

There may be a way to automate a scan / result comparison for a 
"known" domain, but i'd have to play around with it (i'm not much of a 
programmer)

Has the OP tried scanning with some other utils like Vundofix and 
SmitFraudFix ?

"judith"  wrote in message
news:7pq9849okcfhkp5fbt2a2vd5edveq76hv6@4ax.com...
> >It's worth downloading HijackThis, it's a well known and trusted free utility
> >which scans the hosts files, IE plugins, autoloading programs and loads of
other
> >potential hijacks of your system.
> >
>
>http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/downloa
d
> >
> >Trouble is it doesn't tell you what's good or bad, it just tells you what's
> >there. Anything you're not sure of you can check here:
> >
> >http://www.castlecops.com/HijackThis.html
> >
> >DON'T tick the boxes next to any item unless you are sure it's bad/not
required
> >otherwise you can totally screw the system. Use the above guide, or post the
log
> >on the HJT forum on the site.
>
>
> Thanks for suggestion - it has already been run - nothing found :-(

Also you can check that the ISP's DNS server hasn't been compromised (as per the
Gruniad article) by getting a command prompt up and doing a PING to the bank's
URL eg ping www.barclays.co.uk. This will give you the IP address as translated
by the ISP's DNS server (or the hosts file as above).

Then compare with someone using a different ISP and check they are the same.

I guess once you're sure of the correct IP address you could just use this
instead of the URL, might be safer?

--
Andy

Andy Pandy wrote:

> Then compare with someone using a different ISP and check they are the
> same.
> 
> I guess once you're sure of the correct IP address you could just use this
> instead of the URL, might be safer?

That won't always work, especially if the server is using http 1.1
addressing to host more than one website on the server.  That's less likely
for a bank than some smaller sites, but they might use it for example to
separate the business and personal sites or where they have different
brands using the same platform.

Also, a lot of banks have different host names for different parts of the
site, particularly for moving between the secure area and the customer
information area of the site, so you would have to keep retyping the urls
when moving between these areas.

Colin Wilson 
wrote:

>> Will be interesting to see what turns up when he checks the hosts
>> file.
> 
> I'm not an expert on the subject, but I strongly expect the hosts file
> to be "normal".
> 
> There's a good chance his ISP has a poisoned DNS cache though, and it
> might be possible to check with the DoxPara link:
> 
> http://www.doxpara.com/
> 
> Click the link on the right hand side, and wait for a while - it may
> require several attempts (it did the first time I tried it)

In my experience that link "checks" one of the authoritative nameservers
for the IP address range for your connection.  It does not carry out a
rDNS look-up of your IP address.

It does *not* check the caching nameservers at your ISP, unless they are
one and the same as the authoritative nameservers which would be
unusual.

I might suggest installing Bind for Linux users, or Treewalk for Windows
users, behind your firewall or NAT router if you have doubts about your
ISP's caching DNS servers.

-- 
Dave N

On Mon, 21 Jul 2008 18:43:21 +0100, "\(used to be\) Fat Sam"
 wrote:

<snip>

>
>Will be interesting to see what turns up when he checks the hosts file.
>Good to know that the problem has been resolved. It's a very graphic 
>illustration of the importance of constant vigilance when visiting secure 
>sites. 
>

The problem still exists.

Here is summary of what has been done - at either request of bank, me,
or someone here.


1)	No problems with Firefox
2)	Panda Anti-Rootkit 1.08 - in depth scan
3)	Panda Active Scan 2.0
4)	Trend Micro Anti-rootkit
5)	F-secure Anti-rootkit
6)	Are these files on your machine?:
		ed47fa.$
		fa56d7ec.$$$
		bca4e2da.$$$
	Answer: NO
7)	Look in Hosts and IMhosts - they are both normal
8)	Run DNS check  http://www.doxpara.com/
	Result : 195.188.152.62 appears to be safe 
	He is on VirginMedia - it appears to be an old telewest DNS
9)	fsecureblacklight
10)	highhjackthis
11)	The bank have said that there are a "number of Virgin media
customers affected - but it is not limited to that ISP"


(I am not expecting it to be solved by these groups - I will continue
with updates for interest)

But thanks for suggestions.

On Mon, 21 Jul 2008 21:19:05 +0100, Mike  wrote:

>>Normally a computer will access a DNS server to find the IP address of
>>a URL.   You can however override that by entering the URL and desired
>>IP address in the "hosts" file on your PC.  This will cause *all*
>>programs to skip looking up the IP address by accessing a DNS server,
>>and instead using the IP address manually entered in the "hosts" file.
>>That file will normally contain only one entry - the URL "local" is
>>tied to IP address 127.0.0.1

>>There are legitimate reasons for having URLs in your "hosts" file.

>In the interests of technical accuracy and to avoid confusion, perhaps
>I may just clarify some terminology.

>A URL (Uniform Resource Locator) is a combination of a "scheme" or
>protocol identifier and a host name, such as http://www.bbc.co.uk.
>"http:" is the scheme and "www.bbc.co.uk" is the host name.

>It's host names that are put in the "hosts" file, not URLs.  It's
>worth making the distinction in case someone tries to put a URL in the
>hosts file - which won't work.

Fair comment - I was using the ter I thought would be better
understood, though as you say it is not really the correct term to
use.

-- 
Cynic

judith wrote:
> On Mon, 21 Jul 2008 18:43:21 +0100, "\(used to be\) Fat Sam"
>  wrote:
>
> <snip>
>
>>
>> Will be interesting to see what turns up when he checks the hosts
>> file. Good to know that the problem has been resolved. It's a very
>> graphic illustration of the importance of constant vigilance when
>> visiting secure sites.
>>
>
> The problem still exists.
>
> Here is summary of what has been done - at either request of bank, me,
> or someone here.
>
>
> 1) No problems with Firefox
> 2) Panda Anti-Rootkit 1.08 - in depth scan
> 3) Panda Active Scan 2.0
> 4) Trend Micro Anti-rootkit
> 5) F-secure Anti-rootkit
> 6) Are these files on your machine?:
> ed47fa.$
> fa56d7ec.$$$
> bca4e2da.$$$
> Answer: NO
> 7) Look in Hosts and IMhosts - they are both normal
> 8) Run DNS check  http://www.doxpara.com/
> Result : 195.188.152.62 appears to be safe
> He is on VirginMedia - it appears to be an old telewest DNS
> 9) fsecureblacklight
> 10) highhjackthis
> 11) The bank have said that there are a "number of Virgin media
> customers affected - but it is not limited to that ISP"
>
>
> (I am not expecting it to be solved by these groups - I will continue
> with updates for interest)
>
> But thanks for suggestions.

Out of interest, does he know how to set up a proxy to connect through?
Would be interesting to see if the problem persists when using a proxy 
server.

Did you say that the problem doesn't exist when using Firefox?
If so, has he tried uninstalling and re-installing IE to see if that has any 
effect?

Presumably he has reported the issue to Virgin and they're looking into 
their DNS configuration?

On Tue, 22 Jul 2008 12:49:23 +0100, "\(used to be\) Fat Sam"
 wrote:

>judith wrote:
>> On Mon, 21 Jul 2008 18:43:21 +0100, "\(used to be\) Fat Sam"
>>  wrote:
>>
>> <snip>
>>
>>>
>>> Will be interesting to see what turns up when he checks the hosts
>>> file. Good to know that the problem has been resolved. It's a very
>>> graphic illustration of the importance of constant vigilance when
>>> visiting secure sites.
>>>
>>
>> The problem still exists.
>>
>> Here is summary of what has been done - at either request of bank, me,
>> or someone here.
>>
>>
>> 1) No problems with Firefox
>> 2) Panda Anti-Rootkit 1.08 - in depth scan
>> 3) Panda Active Scan 2.0
>> 4) Trend Micro Anti-rootkit
>> 5) F-secure Anti-rootkit
>> 6) Are these files on your machine?:
>> ed47fa.$
>> fa56d7ec.$$$
>> bca4e2da.$$$
>> Answer: NO
>> 7) Look in Hosts and IMhosts - they are both normal
>> 8) Run DNS check  http://www.doxpara.com/
>> Result : 195.188.152.62 appears to be safe
>> He is on VirginMedia - it appears to be an old telewest DNS
>> 9) fsecureblacklight
>> 10) highhjackthis
>> 11) The bank have said that there are a "number of Virgin media
>> customers affected - but it is not limited to that ISP"
>>
>>
>> (I am not expecting it to be solved by these groups - I will continue
>> with updates for interest)
>>
>> But thanks for suggestions.
>
>Out of interest, does he know how to set up a proxy to connect through?
>Would be interesting to see if the problem persists when using a proxy 
>server.

No - and to be honest he seems happy now that he is using Firefox -
and the problem is definitely not there - as he wants to crack on with
his work.  I may ask him if I can do a remote access to his machine
and try some things - but he uses it most of the time.


>Did you say that the problem doesn't exist when using Firefox?
>If so, has he tried uninstalling and re-installing IE to see if that has any 
>effect?

It doesn't - and he hasn't - I may try that.

>Presumably he has reported the issue to Virgin and they're looking into 
>their DNS configuration? 

Yes - they said that he had a virus!!

judith wrote:
> On Tue, 22 Jul 2008 12:49:23 +0100, "\(used to be\) Fat Sam"
>  wrote:
>
>> judith wrote:
>>> On Mon, 21 Jul 2008 18:43:21 +0100, "\(used to be\) Fat Sam"
>>>  wrote:
>>>
>>> <snip>
>>>
>>>>
>>>> Will be interesting to see what turns up when he checks the hosts
>>>> file. Good to know that the problem has been resolved. It's a very
>>>> graphic illustration of the importance of constant vigilance when
>>>> visiting secure sites.
>>>>
>>>
>>> The problem still exists.
>>>
>>> Here is summary of what has been done - at either request of bank,
>>> me, or someone here.
>>>
>>>
>>> 1) No problems with Firefox
>>> 2) Panda Anti-Rootkit 1.08 - in depth scan
>>> 3) Panda Active Scan 2.0
>>> 4) Trend Micro Anti-rootkit
>>> 5) F-secure Anti-rootkit
>>> 6) Are these files on your machine?:
>>> ed47fa.$
>>> fa56d7ec.$$$
>>> bca4e2da.$$$
>>> Answer: NO
>>> 7) Look in Hosts and IMhosts - they are both normal
>>> 8) Run DNS check  http://www.doxpara.com/
>>> Result : 195.188.152.62 appears to be safe
>>> He is on VirginMedia - it appears to be an old telewest DNS
>>> 9) fsecureblacklight
>>> 10) highhjackthis
>>> 11) The bank have said that there are a "number of Virgin media
>>> customers affected - but it is not limited to that ISP"
>>>
>>>
>>> (I am not expecting it to be solved by these groups - I will
>>> continue with updates for interest)
>>>
>>> But thanks for suggestions.
>>
>> Out of interest, does he know how to set up a proxy to connect
>> through? Would be interesting to see if the problem persists when
>> using a proxy server.
>
> No - and to be honest he seems happy now that he is using Firefox -
> and the problem is definitely not there - as he wants to crack on with
> his work.  I may ask him if I can do a remote access to his machine
> and try some things - but he uses it most of the time.

Fair play.
The new Firefox is a fantastic browser. Far better than IE, so he'll no 
doubt enjoy his online eperience more now.

>> Did you say that the problem doesn't exist when using Firefox?
>> If so, has he tried uninstalling and re-installing IE to see if that
>> has any effect?
>
> It doesn't - and he hasn't - I may try that.
>
>> Presumably he has reported the issue to Virgin and they're looking
>> into their DNS configuration?
>
> Yes - they said that he had a virus!!

LOL. The last resort suggestion of technical helpdesks all around the world.

On Tue, 22 Jul 2008 19:34:42 +0100, "\(used to be\) Fat Sam"
 wrote:

>>> Presumably he has reported the issue to Virgin and they're looking
>>> into their DNS configuration?
>>
>> Yes - they said that he had a virus!!
>
>LOL. The last resort suggestion of technical helpdesks all around the world. 

Although, in this case, it's hard to escape that conclusion.  A DNS
issue would affect Firefox as well as IE, so a compromise on the local
PC seems the most likely explanation.

Personally, I'd wipe the hard disk and reinstall the OS.

Mike.

Mike wrote:
> On Tue, 22 Jul 2008 19:34:42 +0100, "\(used to be\) Fat Sam"
>  wrote:
>
>>>> Presumably he has reported the issue to Virgin and they're looking
>>>> into their DNS configuration?
>>>
>>> Yes - they said that he had a virus!!
>>
>> LOL. The last resort suggestion of technical helpdesks all around
>> the world.
>
> Although, in this case, it's hard to escape that conclusion.  A DNS
> issue would affect Firefox as well as IE, so a compromise on the local
> PC seems the most likely explanation.

That's why I was so convinced it was an rogue entry in the hosts file.
But that turned out to be clean, so my theory was wrong.

> Personally, I'd wipe the hard disk and reinstall the OS.

Hmmm. A bit extreme really. But having said that, I'm all out of ideas.

(used to be) Fat Sam wrote:

> That's why I was so convinced it was an rogue entry in the hosts file.
> But that turned out to be clean, so my theory was wrong.
> 
>> Personally, I'd wipe the hard disk and reinstall the OS.
> 
> Hmmm. A bit extreme really. But having said that, I'm all out of ideas.

An entry in the hosts file would also affect Firefox.  It is more likely to
be a rouge BHO (Browser Helper Object), or something similar infecting
Internet Explorer.

"(used to be) Fat Sam"  wrote in message 
news:g65g06$pod$1@aioe.org...
> Mike wrote:
>> On Tue, 22 Jul 2008 19:34:42 +0100, "\(used to be\) Fat Sam"
>>  wrote:
>>
>>>>> Presumably he has reported the issue to Virgin and they're looking
>>>>> into their DNS configuration?
>>>>
>>>> Yes - they said that he had a virus!!
>>>
>>> LOL. The last resort suggestion of technical helpdesks all around
>>> the world.
>>
>> Although, in this case, it's hard to escape that conclusion.  A DNS
>> issue would affect Firefox as well as IE, so a compromise on the local
>> PC seems the most likely explanation.
>
> That's why I was so convinced it was an rogue entry in the hosts file.
> But that turned out to be clean, so my theory was wrong.
>
>> Personally, I'd wipe the hard disk and reinstall the OS.
>
> Hmmm. A bit extreme really. But having said that, I'm all out of ideas.

I wouldn`t say it was extreme.  There is a fair chance the PC has been 
compromised in some way, but nobody can identify how.  If you can`t tell how 
it`s been compromised, how can you fix it and be sure it is no longer 
compromised?  A few hours work to format and reinstall everything removes 
that worry.

> The easiest way to prevent such an attack is to make the "hosts" file
> read-only.

with a caveat that any programmer worth his salt will check for "Read
only", before trying to update the file. Many years ago, when I wrote
a virus as an acedemic exercise, I included a little bit of code which
checked for read-only, unset it, updated the file, then reset it ...
in this case, the safest bet is to make sure only the adminstrator
*account* has modify rights to the file, and never log in as
administrator.

IIRC in *nix based systems, the hosts file can't be modified from a
user account, read-only or not.

On Tue, 22 Jul 2008 19:34:42 +0100, "\(used to be\) Fat Sam"
 wrote:

>judith wrote:
>> On Tue, 22 Jul 2008 12:49:23 +0100, "\(used to be\) Fat Sam"
>>  wrote:
>>
>>> judith wrote:
>>>> On Mon, 21 Jul 2008 18:43:21 +0100, "\(used to be\) Fat Sam"
>>>>  wrote:
>>>>
>>>> <snip>
>>>>
>>>>>
>>>>> Will be interesting to see what turns up when he checks the hosts
>>>>> file. Good to know that the problem has been resolved. It's a very
>>>>> graphic illustration of the importance of constant vigilance when
>>>>> visiting secure sites.
>>>>>
>>>>
>>>> The problem still exists.
>>>>
>>>> Here is summary of what has been done - at either request of bank,
>>>> me, or someone here.
>>>>
>>>>
>>>> 1) No problems with Firefox
>>>> 2) Panda Anti-Rootkit 1.08 - in depth scan
>>>> 3) Panda Active Scan 2.0
>>>> 4) Trend Micro Anti-rootkit
>>>> 5) F-secure Anti-rootkit
>>>> 6) Are these files on your machine?:
>>>> ed47fa.$
>>>> fa56d7ec.$$$
>>>> bca4e2da.$$$
>>>> Answer: NO
>>>> 7) Look in Hosts and IMhosts - they are both normal
>>>> 8) Run DNS check  http://www.doxpara.com/
>>>> Result : 195.188.152.62 appears to be safe
>>>> He is on VirginMedia - it appears to be an old telewest DNS
>>>> 9) fsecureblacklight
>>>> 10) highhjackthis
>>>> 11) The bank have said that there are a "number of Virgin media
>>>> customers affected - but it is not limited to that ISP"
>>>>
>>>>
>>>> (I am not expecting it to be solved by these groups - I will
>>>> continue with updates for interest)
>>>>
>>>> But thanks for suggestions.
>>>
>>> Out of interest, does he know how to set up a proxy to connect
>>> through? Would be interesting to see if the problem persists when
>>> using a proxy server.
>>
>> No - and to be honest he seems happy now that he is using Firefox -
>> and the problem is definitely not there - as he wants to crack on with
>> his work.  I may ask him if I can do a remote access to his machine
>> and try some things - but he uses it most of the time.
>
>Fair play.
>The new Firefox is a fantastic browser. Far better than IE, so he'll no 
>doubt enjoy his online eperience more now.
>
>>> Did you say that the problem doesn't exist when using Firefox?
>>> If so, has he tried uninstalling and re-installing IE to see if that
>>> has any effect?
>>
>> It doesn't - and he hasn't - I may try that.
>>
>>> Presumably he has reported the issue to Virgin and they're looking
>>> into their DNS configuration?
>>
>> Yes - they said that he had a virus!!
>
>LOL. The last resort suggestion of technical helpdesks all around the world. 

I thought that was reinstall Windows?  Or is that the first resort for
all "helpdesks"?

-- 
(\__/)  M.
(='.'=) Owing to the amount of spam posted via googlegroups and
(")_(") their inaction to the problem. I am blocking most articles
posted from there.  If you wish your postings to be seen by
everyone you will need use a different method of posting.
See http://improve-usenet.org

In article <g65g06$pod$1@aioe.org>, "(used to be) Fat Sam" 
 writes
>Mike wrote:
>> On Tue, 22 Jul 2008 19:34:42 +0100, "\(used to be\) Fat Sam"
>>  wrote:
>>
>>>>> Presumably he has reported the issue to Virgin and they're looking
>>>>> into their DNS configuration?
>>>>
>>>> Yes - they said that he had a virus!!
>>>
>>> LOL. The last resort suggestion of technical helpdesks all around
>>> the world.
>>
>> Although, in this case, it's hard to escape that conclusion.  A DNS
>> issue would affect Firefox as well as IE, so a compromise on the local
>> PC seems the most likely explanation.
>
>That's why I was so convinced it was an rogue entry in the hosts file.
>But that turned out to be clean, so my theory was wrong.
>
>> Personally, I'd wipe the hard disk and reinstall the OS.
>
>Hmmm. A bit extreme really. But having said that, I'm all out of ideas.
>
>
A trojan?

http://www.symantec.com/security_response/writeup.jsp?docid=2007-060812-4
603-99
-- 
David Lawson

> A trojan?

A variant of Vundo ?

Vundofix
http://vundofix.atribune.org/

Jethro wrote:

>> The easiest way to prevent such an attack is to make the "hosts" file
>> read-only.
> 
> with a caveat that any programmer worth his salt will check for "Read
> only", before trying to update the file. Many years ago, when I wrote
> a virus as an acedemic exercise, I included a little bit of code which
> checked for read-only, unset it, updated the file, then reset it ...
> in this case, the safest bet is to make sure only the adminstrator
> *account* has modify rights to the file, and never log in as
> administrator.
> 
> IIRC in *nix based systems, the hosts file can't be modified from a
> user account, read-only or not.

if you log on as root, or use sudo, and do
chmod 666 /etc/hosts
then everyone will be able to change it

You can use a standard account in Windows XP, then you won't be able to
change the hosts file.  You won't be able to do a lot of other useful
things either though.