I came across these web sites while reading news about dnschanger and shutting down the DNS servers that used to be controlled by it. I was curious how it works, so decided to figure it out. Previously (for Conficker for example) this sort of pages just included IFRAMEs pointing to web addresses that were known to be blocked by modified hosts files, e.g. pages of AV companies. If any of these were blocked, you would know there is something going on with your system.

In this case it’s different. the page is static and just shows either in

GREEN

or

RED

I guessed it may be a change in DNS resolution that is different depending on your DNS settings – if the request goes through the ‘bad guy’, the server will return the ip for the red page, if your settings are good, it will return the green page.

Indeed, this is the case and you can confirm it via nslookup.

nslookup dns-ok.us
Name: dns-ok.us
Address: 38.68.193.96

nslookup dns-ok.us 77.67.83.1  <– 77.67.83.1 is a ‘bad guy’ DNS
Name: dns-ok.us
Address: 38.68.193.97

Check

• http://38.68.193.96/
• http://38.68.193.97/

Not a rocket science.

When I found out, I googled for IPs and lo and behold, I immediately spotted a comment from a guy using nick ‘TEA-Time’ talking about it few weeks back on Brian Krebs’ blog: https://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/

Argh.

Here goes yet another wasted human cycle.

So this post is for you not to waste yours 🙂