Jump to content











Photo
- - - - -

Alureon Malware


  • Please log in to reply
13 replies to this topic

#1 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 11 July 2012 - 06:09 PM

11-07-2012 22-17-33.png


Many dns servers are affected by this situation. So I can not connect to the reboot.pro from Turkey. But I solved this problem with the www.hidemyass.com for the time being. Best regards :hi:

http://www.bgr.in/ne...lureon-malware/

#2 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10452 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 11 July 2012 - 08:10 PM

I don't think this problem is related to Alureon, I am using Ubuntu on a clean machine and suddenly started seeing that message as well.

When accessing http://filename.pro that is on the same server without using cloudflare, it worked fine. I just disabled cloudflare on reboot and we are back in order.

:cheers:

#3 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 11 July 2012 - 08:23 PM

Hi Nuno Brito ;)

You misinterpret me. This problem stems from dns servers around the world. That is a general problem. So it will take some time to clean up from this malware for all dns servers. Best regards :hi:

#4 berce

berce

    Member

  • Members
  • 42 posts
  •  
    Turkey

Posted 11 July 2012 - 08:31 PM

herhalde sorunu düzeltmişler gibi birde

Alureon Malware yeni çıkan bir tehdit mi ?

#5 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 11 July 2012 - 08:32 PM

Thanks, Max!

I also have had this trouble many times today.
Now I know that it is not a reboot.pro site issue.

Nuno: As you told us, you disabled cloudflare and the site still does work properly (currently better).
What's the reason to have cloudflare doing here something?

Peter

#6 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10452 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 11 July 2012 - 08:38 PM

Hi Nuno Brito ;)

You misinterpret me. This problem stems from dns servers around the world. That is a general problem. So it will take some time to clean up from this malware for all dns servers. Best regards :hi:

Ok then, let's wait until things get back to normal. :)

Thanks, Max!

I also have had this trouble many times today.
Now I know that it is not a reboot.pro site issue.

Nuno: As you told us, you disabled cloudflare and the site still does work properly (currently better).
What's the reason to have cloudflare doing here something?

I am using their cache service to provide static resources such as small images faster, this brings down the level of bandwidth and CPU processing imposed on our server. It is free to use, saved around 70% of our bandwidth when it was working as intended.
  • pscEx likes this

#7 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 12 July 2012 - 09:04 AM

You misinterpret me. This problem stems from dns servers around the world. That is a general problem. So it will take some time to clean up from this malware for all dns servers. Best regards :hi:

There is nothing wrong with the DNS servers itself. The Alureon malware only changed the default DNS server used by the client (Windows or Mac) to lookup domainnames. If you have the Alureon malware, you can't lookup any DNS addresses anymore (so http://www.google.com can't be resolved to an IP address) (unless you have a secondary DNS server address setup), so you can only visit websites if you know the IP address. But most servers host multiple websites from the same IP, so only if you add it to your host file, you will be able to visit those websites when you can't do and DNS server lookups anymore.
  • Max_Real Qnx likes this

#8 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 12 July 2012 - 05:36 PM

Hi Icecube ;)

Thank you for your good explanation. But I want to ask one question only. If this malicious code infected to the dns server, what happens ? Ultimately, this dns servers is not the computer ? Therefore we can not able to reach the internet pages occasional. These dns servers need to be cleaned by antivirus software from this harm code. Am I wrong ? Kind regards :hi:

#9 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 12 July 2012 - 05:40 PM

I have to agree Max.

I also have had the troubles to reach reboot.pro. But several scanners told me that my PC is not infected.
So, where is the real "working point" :dubbio:

Peter
  • Max_Real Qnx likes this

#10 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 13 July 2012 - 06:37 AM

The malware changed just the IP addresses for the DNS server, to an IP address that originally pointed to a DNS server that was in control of the malware creators. Because of that they could give and IP address of a webserver in their control, when you visit a banking site or other sites they found interesting. Later this DNS server was replaced by a non-malicious one, by the FBI. Now that the FBI stopped their DNS server, people infected with the malware can't lookup any domainname (unless they have a secondary DNS server address in their settings). So the DNS servers don't need cleaning, only the IP address must be set to a working DNS server.

Posted Image

The unreachability of reboot.pro had nothing to do with the malware (as the malware doesn't infect the DNS server itself). But the default DNS server you use, can be unreachable for a while. I sometimes have it that the DNS server of my ISP is down or unreachable. Changing the DNS server IP address to another server temporarily, fixes it.

For example, you can use googles DNS server for a while (save the values of your current DNS server). It is easy to remember:

8.8.8.8


Or you can use openDNS: http://www.opendns.com/

IP address:
208.67.222.222
208.67.220.220



#11 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 13 July 2012 - 03:49 PM

Hmm. Due to court bans , I can not connect via DNS of the internet service provider to many sites in my country. So I was before encountering with this problem, I have already changed the the DNS address with the dnsadvantage. As a result, your logic is correct. But do you have evidence that supports what you said ? How can not a virus infected itself to the dns servers ? If it can do that, what happens ?

#12 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 14 July 2012 - 03:21 AM

But do you have evidence that supports what you said ?

Let me ask you first why you are pointing fingers towards a malware? Next, if you are convinced somehow that you have been infected by a malware, then why Alureon only?

How can not a virus infected itself to the dns servers ?

Yes, it can. But, IMO, there are only two possibilities when it can happen.
  • Either the server owners have to use the DNS server PC for downloading movies, torrents, online gaming, watching XXX sites, grabbing softwares, chatting on Facebook or in general surfing Internet where "by chance" the malware gets downloaded "locally" and executed on the server PC itself.
  • Or, there must exist some known or unknown vulnerability in the DNS server daemon itself which would allow the attacker to gain control on the DNS database "remotely".

If it can do that, what happens ?

If it happens, then what is called DNS poisoning takes place.

#13 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 14 July 2012 - 04:19 PM

Let me ask you first why you are pointing fingers towards a malware? Next, if you are convinced somehow that you have been infected by a malware, then why Alureon only?


Hi Holmes.Sherlock ;)

Thank you for your understandable comments. Because this is not just a simple virus. It have a very complex structure. Unfortunately, it has a worldwide spread. I think, therefore it is dangerous as not to be underestimated so too much. Best regards :hi:

http://www.dailymail...net-Monday.html
http://support.kaspe.../?qid=208280684

#14 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 10 August 2012 - 09:23 PM

I just seen this thread, but I know I posted something similar to this a while back: http://tech.reboot.p...ad.php?tid=2419

http://www.chron.com...uly-3497916.php

This undated handout image provided by The DNS Changer Working Group (DCWG) shows the webpage. It will only take a few clicks of the mouse. But for hundreds of thousands of computer users, those clicks could mean the difference between staying online and losing their connections this July


http://www.dcwg.org/detect/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users