Sunday, January 13, 2008

Part 3: A Virtual Private Hijacking

MyFamily.com's Browser Hijacker

Click to enlarge on Featurepics
"Business Hack," © fluca

The Ancestry Insider suffers from a problem that has affected many: his browser is sometimes hijacked to MyFamily.com. Frustrated to his fill, he finally fixated on finding and fixing this problem.

In part 1, An Unholy Alliance, the Insider investigated his first suspect: TGN's former use of Gator. In part 2, the Insider's second suspect was browser hijackings caused by the MyFamily DNS Poisoning problem.

It wasn't either of these; what, then, is it?

Part 3: A Virtual Private Hijacking

Some Windows operating systems will let you see your DNS cache by running (Start > All Programs > Accessories) Command Prompt and typing this command:

ipconfig /displaydns

Someone with the poisoned cache problem described in part 2 would see this somewhere in their cache:

familysearch.org
----------------------------------------
Record Name . . . . . : familysearch.org
A (Host) Record . . . : 66.43.25.130

What I saw on my laptop was

xyz.familysearch.org
----------------------------------------
Record Name . . . . . : xyz.familysearch.org.cc.myfamily.com
A (Host) Record . . . : 66.43.25.130

My DNS cache was poisoned, but not in the way explained in part 2. When I specified a non-existent domain, somehow my DNS was appending "cc.myfamily.com" on the end. As we learned last time, the misconfigured MyFamily name servers will willingly claim any domain name passed to them and return the address to MyFamily.com[66.43.25.130].

Virtual Private Networks

The diagram below/left shows that companies operate private networks (in green) that connect to the web through a firewall. The firewall blocks access to the private network.

Some companies provide access to their private network to select employee computers outside the firewall by establishing a virtual private network (VPN) as illustrated in the diagram below/right.

To include an employee computer in a VPN, special software is installed on the employee's computer that allows the computer to use the Internet to create a virtual cable that plugs the computer into the company network. Even though the virtual cable actually communicates using the Internet, the information is secured and protected, making it as private as if a real cable had been strung from the employee's home all the way to the employee's workplace where it was plugged directly into the company's private network.

Resolution

I was playing with some of the other name server commands Michael Ditto mentioned in his poisoning article when my computer showed this list of DNS options:

Set options:
  nodebug
  timeout=2
  retry=1
  srchlist=cc.tgn.com/cc.myfamily.com

There it was! "Cc.myfamily.com" was the same string appended to xyz.familysearch.org!

When I installed the TGN VPN software on my laptop, it had added to the srchlist option anything necessary for machines connected directly to the company network. From that point forward, anytime I entered a domain that could not be found, the DNS system searched for it by appending in turn each item in the search list. Once cc.myfamily.com was added, the misconfigured MyFamily name servers would poison my cache. The unintended side-effect was my browser hijacking problem.

My long search was over. I removed cc.myfamily.com from the srchlist and revved up my browser.

I typed xyz.familysearch.org and...

A 404—page not found—error never looked so good!

2 comments:

  1. So, what can we do (in easy words) to fix that problem. I mean, think we are simple users with an xp and no knowledge of... dns!

    ReplyDelete
  2. Dear Simple User,

    I believe Windows XP is immune. You should be safe from MyFamily's problem.

    -- The Ancestry Insider

    ReplyDelete