Weird day with Windows’s Trojan/Malware and DNS Poisoning >.<

Posted: September 11, 2012 in Ubuntu

While assisting someone from the web forum who was infected by Trojan/Malware (it’s Windows machine FYI), I deliberately browsed on suspected IP address knowing that Windows Trojan and/or Malware won’t harm my Ubuntu Linux Machine. Won’t it?
Well … my machine got infected! Immediately after I browse that IP address, my outbound internet connection suddenly full with strange connection to some local (Indonesian) IP Address and some other IP from outside Indonesia.

netstat -a reveal nothing when no browser open, but suddenly full of establish ongoing connection to port 443 (ssl) and other port when I open Chrome of Firefox on my Ubuntu Machine, some connection were legit (namely the infamous Google’s sin01*-site) but many are just rouge connection, and it steal(!) my bandwidth.

I’ve installed avg antivirus for linux (the deb version for debian/ubuntu) and clamav which I never thought I’d have on my Linux Machine but all the scan revealed nothing, rkhunter and chkrootkit says nada – no infection whatsoever, but the weird establish outbound connection is still there.

So I retraced my step to the IP address I browsed before I got the problem: and compared it to some of the IP list on my netstat output: It seemed that all the connection to the suspected IP always forwarded to a248.e.akamai.net and some other rouge site.

Further research revealed that the culprit was my dns cache, it seemed that the rouge site manipulate my dns cache so it can control my outbound connection, that was why I can’t find any infected file on my system ;) … and worse, dnsmasq was ran by default on my Ubuntu 12.04 because it’s build in NetworkManager (with all the DNS Poisoning threat lately I guess Canonical should disable it in 12.10).

Here’s what I do to fix my problem :

1. Clear all my browser cache

2. Edit NetworkManager.conf

sudo pico /etc/NetworkManager/NetworkManager.conf

3. Disable dnsmasq.

#dns=dnsmasq

4. Restart Network Manager

sudo restart network-manager

5. Clear the dns cache

sudo /etc/init.d/dns-clean start

and just to be sure I installed nscd too

sudo apt-get install nscd

sudo /etc/init.d/nscd start

6. Done!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s