Ian (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
lovingboth) wrote2005-01-13 01:57 pm
lovingboth) wrote2005-01-13 01:57 pm
Entry tags:
Hmmm...
Update: it seems this odd "feature" of windowsupdate - you know, the way you get critical security patches - is indeed genuine. Gosh.
Remember the person who ran an attachment on an email pretending to be from his hotmail account which he knew he didn't send?
Something interesting is happening on our PCs, and although Sophos reckons there's no infection, it may well be linked.
Can you run the following two from the command line (Windows 9x: Start / Programs / MS-DOS Prompt, Win 2k/XP: Start / Programs / Command line, Linux: ... probably don't need to be told!)
ping windowsupdate.microsoft.com
ping v4.windowsupdate.microsoft.com
(Ping sends a small 'hello' message to the destination and expects a 'hello' back, but it's the IP address I'm particularly interested in...)
What's the result?
Remember the person who ran an attachment on an email pretending to be from his hotmail account which he knew he didn't send?
Something interesting is happening on our PCs, and although Sophos reckons there's no infection, it may well be linked.
Can you run the following two from the command line (Windows 9x: Start / Programs / MS-DOS Prompt, Win 2k/XP: Start / Programs / Command line, Linux: ... probably don't need to be told!)
ping windowsupdate.microsoft.com
ping v4.windowsupdate.microsoft.com
(Ping sends a small 'hello' message to the destination and expects a 'hello' back, but it's the IP address I'm particularly interested in...)
What's the result?
no subject
(no reply)
PING v4windowsupdate.microsoft.nsatc.net (207.46.245.126): 56 data bytes
(no reply)
no subject
Rather than that...
Name: windowsupdate.microsoft.nsatc.net
Address: 207.46.134.24
Name: windowsupdate.microsoft.nsatc.net
Address: 207.46.249.56
Name: v4windowsupdate.microsoft.nsatc.net
Address: 207.46.244.222
Name: v4windowsupdate.microsoft.nsatc.net
Address: 64.4.20.220
Name: v4windowsupdate.microsoft.nsatc.net
Address: 64.4.20.252
So, you're expecting to find different results, but only any of these mentioned above.
Re: Rather than that...
Unless you, apparently, live somewhere else in the world and you are directed somewhere else.
Re: Rather than that...
Domain Name: NSATC.NET
Created on..............: Wed, Sep 26, 2001
Expires on..............: Wed, Sep 26, 2007
Record last updated on..: Thu, Dec 09, 2004
Administrative Contact:
Technical Contact:
Zone Contact:
all
SAVVIS Communications
nsatc host
225 W Hillcrest Dr, Ste 250
Thousand Oaks, CA 91360
US
Phone: (805) 370 2100
Fax..: (805) 370 2101
Email: nsatc-host@savvis.net
If I were a nasty, having control of that would give me complete control over every updated copy of Windows.
If you get the same results, it's obviously genuine, but it's still jaw-dropping. I'm amazed that googling 'windowsupdate "nsatc net"' only gets a couple of hundred hits.
Re: Rather than that...
I'm pretty sure this is just plain old outsourcing - Savvis does serious heavy-lifting network stuff, and Microsoft is one of their big name punters.
(Incidentally, I'm not surprised that the hosts in question drop pings on the floor - that's just what I'd do with such high-profile sites that to any script kiddie have "DoS ME!" written in foot-high letters of fire on 'em.)
Re: Rather than that...
Then whenever the victim types in www.mybank.com or whatever, they end up on your fake site. Doesn't matter that you haven't hacked mybank.com's DNS, and there's no suspicious links to click on.
If you're really clever, the trojan deletes itself so when AV companies catch on, the PC looks clean.
Evil, but brilliant.
(I didn't think not responding to pings was suspicious! I wasn't happy that www.nsatc.net doesn't work though.)