Author Archives: adam

Wasted Human cycle a.k.a. How dns-ok.us, dns-ok.de, etc. work

Posted on by

I came across these web sites while reading news about dnschanger and shutting down the DNS servers that used to be controlled by it. I was curious how it works, so decided to figure it out. Previously (for Conficker for example) this sort of pages just included IFRAMEs pointing to web addresses that were known to be blocked by modified hosts files, e.g. pages of AV companies. If any of these were blocked, you would know there is something going on with your system.

In this case it’s different. the page is static and just shows either in

GREEN

or

RED


I guessed it may be a change in DNS resolution that is different depending on your DNS settings – if the request goes through the ‘bad guy’, the server will return the ip for the red page, if your settings are good, it will return the green page.

Indeed, this is the case and you can confirm it via nslookup.

nslookup dns-ok.us
Name: dns-ok.us
Address: 38.68.193.96

nslookup dns-ok.us 77.67.83.1Ā  <– 77.67.83.1 is a ‘bad guy’ DNS
Name: dns-ok.us
Address: 38.68.193.97

Check

 

Not a rocket science.

When I found out, I googled for IPs and lo and behold, I immediately spotted a comment from a guy using nick ‘TEA-Time’ talking about it few weeks back on Brian Krebs’ blog: https://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/

Argh.

Here goes yet another wasted human cycle.

So this post is for you not to waste yours šŸ™‚

RUStrings ā€“ extracting Russian strings from files

Posted on by

Running typical ‘strings’ tools over a suspicious file provides lots of useful information.The output typically provides an immediate clue what the file’sĀ purposeĀ is e.g. is it a text file, binary file, what is its file format, character encoding, is it compressed, what APIs , file names and URLs it is referring to and so on and so forth. If you are lucky, you may sometimes get a visual output as well e.g. an ASCII art as it is in a case of well-known web shell r57.

RUStrings0

Now, the problem with ‘strings’ tools is that they are usually monolingual. They extract English strings in ANSI and Unicode format, but forget about other languages. That is, they are unable to recognize strings that are non-English. Of course, it is non-trivial to write a tool that will recognize strings in a few dozens of languages, as they all use various types of character encodings and each character can occupy not only a single byte, but in many cases multiple bytes.

RUStrings.pl is a simple perl script that tries to address this issue and while it focuses only on Russian strings, it can be relatively easily extended to cover other languages. The strings it extracts include

  • ANSI
  • Unicode
  • 4 different Russian character encodings

The output will contain Cyrillic characters and has to be viewed with a proper program supporting various character encodings.

Compare the following:

  • obtained via ‘strings’:

RUStrings1

and

  • via ‘RUStrings’:

RUStrings2
In case you are wondering what tool I am using to preview these – it is Total Commander’sĀ built-inĀ Lister viewer – it has a very cool feature that allows changing the character encoding on the spot making Cyryllic (and others) characters ‘visible’.

Download