[unisog] Qhosts again
Phillip G Deneault
deneault at WPI.EDU
Fri Oct 24 00:08:15 GMT 2003
I'm not sure if these are _only_ related to Qhosts but I have found a
number of IP's in people's hostfiles and DNS settings in much the same
style as qhosts. I've included the ones I've seen below.
In hosts files:
In DNS settings:
Its easy to make snort rules for these to find infected computers.
On Tue, 21 Oct 2003, Jeff Bollinger wrote:
> Is it reasonable to think that border filtering the DNS server IP
> addresses coded into the Qhosts trojan would break DNS for the infected?
> ~ I've looked around a bit and have only seen these three IP addresses
> for the DNS rerouting:
> Are there other known DNS servers used by this trojan?
> Jeff Bollinger, CISSP
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff @unc dot edu
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.8
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed. signature not checked.
> Signature made 2003/10/22 01:35 GMT
> key does not meet validity threshold.
> WARNING: Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0x506682C5)".
Phil Deneault "We work in the dark, We do what we can,
deneault at wpi.edu We give what we have. Our doubt is our passion,
WPI NetOps and our passion is our task. The rest is the
InfoSec madness of art." - Henry James
More information about the unisog