My parents have been having an issue with the internet at their place for a while now. I’ve just had a chance to look at it and it is quite suspicious.
Randomly when a Google search was performed, when you clicked the links you would be redirected to sites that you were not expecting, primarily parked domains much like this one:
Other times, you would just be redirected to a parked page whenever you manually entered an address, again completely at random.
None of this made a lot of sense to me. While I have been visiting though, they have also started having websites load up some code on top of the original website that presented what appeared to be a Windows Vista/Windows 7 dialogue box:
This didn’t fool anyone here since every computer here is a Mac except for some of my brothers, and he only uses the Windows computers for games anyway, not for browsing.
In the above screenshot, I was using Firefox, however it seems to come up in any browser, as per the below screenshot where I was using Chrome:
As you can see, it’s the same box and it greys out the website itself, very cleverly mimicking the behaviour of the security dialogues in Windows Vista and Windows 7.
The dialogue itself reads:
Windows Internet Security
Your browser is under the threat of infection. Windows requires your permission to install online protection tool.
Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.
Name: Online Protection tool
Publisher: Microsoft Windows
Always trust this website
Allow – Don’t Allow
There is some suspect grammar in there, but otherwise, on a Windows Vista or Windows 7 machine, it would fit right in. Simply refreshing the website would get rid of it, it seems to be random as to when it loads or not, as you can see it’s come up on some quite reputable websites in the above screenshots, including the TPG website.
I made the assumption once I realised it was happening on both browsers and after it happened on the TPG website, that something was injecting code between the server and us. That means either something has been done to the router, or something suspicious is going on at TPG. Since I use TPG at my place and have not had this issue, it seemed unlikely that it would be TPG.
I had a look at the router and after some digging around I had a look at the DNS settings, to see where the router was sending our requests. The DNS should be set to automatic with TPG and with most other ISP’s as well, however, my parents DNS settings were not:
As you can see, the DNS was set as:
Primary DNS server: 220.127.116.11
Secondary DNS server: 18.104.22.168
This seemed odd to me as it was unlikely that anyone here would have changed them. You have to know what you are looking for, and what to put there. Otherwise your internet connection isn’t going to work correctly.
I did a search for these IP addresses on IP-Lookup and found that both of these addresses point to a server in Ukraine on the http://ukrtelegroup.com.ua/ domain. Attempting to visit this domain returns a http page with “nothing” as the only contents of the body. A whois query on the IP address returned the following information:
So, the IP address appears to be owned by a company called Promnet Ltd. I just had a look at their website, http://prom-net.com.ua/ and it appears that they are a hosting company that offers clients the ability to “Install any software or application, you want to use”.
A whois query on the domain name returned:
% % .UA whois % Domain Record: % ============= domain: ukrtelegroup.com.ua admin-c: INAME-UANIC tech-c: INAME-UANIC status: OK-UNTIL 20100906165148 dom-public: NO nserver: ns1.ukrtelegroup.com.ua nserver: ns2.ukrtelegroup.com.ua mnt-by: INAME-UANIC (ua.iname) remark: ôï÷ õËÒÔÅÌÅÇÒÕÐÐ remark: áÌÆÅÒÏ×Á îÉÎÁ remark: ïÄÅÓÓÁ, UA changed: INAME-UANIC 20090901120548 source: UANIC % Glue Record: % =========== nserver: ns1.ukrtelegroup.com.ua ip-addr: 22.214.171.124 % Glue Record: % =========== nserver: ns2.ukrtelegroup.com.ua ip-addr: 126.96.36.199 % Administrative Contact: % ====================== nic-handle: INAME-UANIC organization: LLC "Elade Standart Limited" organization: ïïï "üÌÁÊÄ óÔÁÎÄÁÒÔ ìÉÍÉÔÅÄ" organization: ôï÷ "åÌÁÊÄ óÔÁÎÄÁÒÔ ì¦Í¦ÔÅÄ" address: 1 Ð¦Ä'§ÚÄ, 2 ÐÏ×ÅÒÈ, ÷ÅÌÉËÁ ÷ÁÓÉÌØË¦×ÓØËÁ, 111/113 address: 03150 ëé·÷ address: UA fax-no: +380 (44) 2010104 fax-no: +380 (44) 2010104 phone: +380 (44) 2010104 e-mail: email@example.com url: http://iName.ua org-id: 31109655 mnt-by: NONE changed: INAME-UANIC 20090717182914 source: UANIC % Technical Contact: % ================= nic-handle: INAME-UANIC organization: LLC "Elade Standart Limited" organization: ïïï "üÌÁÊÄ óÔÁÎÄÁÒÔ ìÉÍÉÔÅÄ" organization: ôï÷ "åÌÁÊÄ óÔÁÎÄÁÒÔ ì¦Í¦ÔÅÄ" address: 1 Ð¦Ä'§ÚÄ, 2 ÐÏ×ÅÒÈ, ÷ÅÌÉËÁ ÷ÁÓÉÌØË¦×ÓØËÁ, 111/113 address: 03150 ëé·÷ address: UA fax-no: +380 (44) 2010104 fax-no: +380 (44) 2010104 phone: +380 (44) 2010104 e-mail: firstname.lastname@example.org url: http://iName.ua org-id: 31109655 mnt-by: NONE changed: INAME-UANIC 20090717182914 source: UANIC
Here the company it is registered to appears to be “Elade Standart Limited” for the administrative and technical contacts. After looking at the URL specified, this appears to be a domain name registration company which translated, is called “Allied Standard Limited”.
Something very suspicious is going on here, so I set the DNS back to automatic and rebooted the router. After this the internet immediately went back to normal.
I went back and did some searching afterwards to see what other people have said about it, because I was unsure how exactly it would have happened in the first place aside from the router being hacked.
According to this forum post on GeeksToGo, there was a worm going around called Pipas.A that changed the DNS settings on individual computers to those mentioned earlier.
A post on the BleepingComputer forum indicated a trojan that was going around that sounds very similar to Pipas.A that changed the DNS settings. There was indication from some users that it could affect some routers as well.
One of the most comprehensive sites was gabrielharrison.co.uk which has a list of known bad IP addresses related to this.
The Wilders Security Forum also has some more information on it.
It seems to me unlikely that the router here was affected by one of the trojans, simply because if it were, after rebooting the router a few times. I would have expected the DNS settings to be changed back to the custom ones. However this has not been the case, they have stayed on automatic. It seems to me that the most likely cause was that they scanned a range of IP addresses and attempted to access each one.
When a router login screen appeared they could have attempted to crack the password, but more than likely would have just tried the default login details that are used for most routers, either admin/admin or admin/password.
All they would have to do then is change the DNS settings and reboot the router. It’s unlikely anyone would notice unless they were actively monitoring their traffic routing.
An important lesson from this, change your router password as soon as you set it up, do not leave it as the default settings. Anyone outside can access your router too if they have the correct IP address. It’s just a matter then of figuring out the username and password.
I don’t know if any other important information is harvested as well, such as passwords and personal information, but I think it is worth changing passwords if you have had this happen to you, especially important passwords like bank access and the like.