DNS Unlocker ads #2

Posted on Thursday, September 17, 2015 by Nicki de Wet

In my quest to find the cause(s) for these DNS Unlocker ads, I found Steve Gibson's DNS Nameserver Spoofability Test to test my DNS.

This can identify any DNS issues that could cause these DNS Unlocker ads to be injected into sites you visit.

DNS Unlocker ads

Posted on by Nicki de Wet

It seems like DNS Unlocker ads injected into websites you visit is a big issue at the moment. I've seen them on site I visited, some other people I know have also experienced them.

All the resolution links I've seen seems to have the same procedure, and if none of the first couple detection methods work they have a tool to download. Now I've not tried any of those so-called tools, but I have a suspicion that these 'tools' might actually put you in a worse position than what you were in.

How do you get the ads? 
They seem to be injected by a rogue google analytics script. From looking at other sources on the web it looks like DNS poisoning takes place somewhere upstream from my pc, which causes a DNS lookup for www.google-analytics.com to return the address of a rogue server posing as the real thing. This script injects another script from hosts on the dnsqa.me domain, which injects scripts which injects the ads into the page you are viewing.

How do you get rid of it? 
On my machine no actual DNS Unlocker software got installed, and my DNS settings were also not changed. I ran Malware Bytes as well as AdwCleaner to scan for malware, they found a few cookies and cached pages but no actual installed malware that had to be removed. I also did a Reset in Chrome, which clears cache, disables extensions and clears history. After this I still got the ads from time to time. Installing Malware Bytes and activating the 14day Premium trial certainly picks up these rogue scripts and prevents them from being injected. I also installed AdBlock in Chrome and configured it to block all access to *.dnsqa.me and *.google-analytics.com, to prevent the malware from being injected by any of those two avenues.

Other possibilities
If you router still has the default password, it is possible that some application you installed could connect to the router and change the DNS settings. It is also possible that an application can change the DNS settings on your machine itself. Check both these locations to make sure that the DNS settings are configured to use automatic provided values, or if you manually configured DNS servers like OpenDNS, etc that they are still intact. If the DNS on your router was changed, make sure to change the default admin password on your router.

Different Ways to prevent the injection
Install Malware Bytes and active the 14-day Premium trial
Install the AdBlock extension in Chrome
Configure OpenDNS as DNS provider.

Client certificate validation issues - WCF

Posted on Wednesday, August 12, 2015 by Nicki de Wet

We encountered an issue using client certificate authentication with a client certificate issued by a CA in the Trusted Root CA store.

The client certificate chain is valid when opening it on the server, showing the whole chain. When attaching it to a request the request would be rejected with response code 403 - Forbidden. Looking at the System eventlog for SChannel errors showed nothing.

Eventually we switched on WCF tracing, and found the following in the trace:

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <Description>Client certificate is invalid with native error code 0x2013 (see http://go.microsoft.com/fwlink/?LinkId=187517 for details).</Description>
    <ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/HttpRequestTraceRecord">
            <User-Agent>Apache-HttpClient/4.1.1 (java 1.5)</User-Agent>
Searching on Google brought us no closer, eventually I found an old link I've used before under different but related circumstances.http://code-clarity.blogspot.com/2012/06/how-to-troubleshoot-ssltsl-or-x509.html. I enabled CAPI2 logging in the Event Viewer, and saw entries containing the following:

  <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
  <Certificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <Flags value="0" />
  <AdditionalParameters timeToUse="2015-08-12T07:58:21.234Z" currentTime="2015-08-12T07:58:21.234Z" urlRetrievalTimeout="PT15S" />
  <RevocationStatus index="0" error="80092013" reason="0" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="5" />
  <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>

To identify which URLs are not accessible, look for entries like these:
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://ocsp.trustwave.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEEssZkb0NHdbZ980oE3VBOY%3D</URL>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="3" />
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://crl.trustwave.com/STCA.crl</URL>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="4" />
Make sure that the URL(s) in the log entries are accessible, this should sort out the issue.

Help! I've imported a certificate using the mmc snap-in and it is not associated with a private key!

Posted on Thursday, June 4, 2015 by Nicki de Wet

Dont' fear, use the following command to fix the associating:

certutil -repairstore my "certificate serialnumber"

After this step refresh the view in mmc, a key should now be displayed as part of the certificate icon

SSL cert generation using OpenSSL

Posted on Thursday, September 18, 2014 by Nicki de Wet

Create CA

Generate private key for CA

openssl genrsa -des3 -out keys/ca.key 1024

 Generate CA cert

openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

 Generate server cert request

Generate private key for server cert

openssl genrsa -out keys/domain.com.key 2048

Generate server certificate request 

openssl req -new -key keys/servercert.key -out requests/certreq.txt

Sign certificate request and create certificate

openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/servercert.cer

Combine private key and certificate in pkcs12 format for importing into Windows

openssl pkcs12 -export -out servercert.p12 -in servercert.cer -inkey servercert.key


Excel trick for creating Gantt chart

Posted on Tuesday, September 16, 2014 by Nicki de Wet

This is quite a useful trick to create a Gantt chart to chart latency of individual requests to some service over time.


Error installing Windows 8.1 Update for x64-based Systems (KB2919355) - error 80070005

Posted on Saturday, April 26, 2014 by Nicki de Wet

My computer is not able to install this latest update from Microsoft. It has already been upgraded to 8.1 without any issues.

I ran ProcessMonitor and found this:

Date & Time: 2014-04-26 05:30:50 PM
Event Class: File System
Operation: SetLinkInformationFile
Path: C:\Windows\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.3.9600.16384_en-gb_680d99c9c1bb411e\bootmgr.efi.mui
TID: 3056
Duration: 0.0000421
ReplaceIfExists: True
FileName: \SystemRoot\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.3.9600.17031_en-gb_68408c0dc1958b90\bootmgr.efi.mui

The process details:
Description: Windows Modules Installer Worker
Company: Microsoft Corporation
Name: TiWorker.exe
Version: 6.3.9600.17031 (winblue_gdr.140221-1952)
Path: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe
Command Line: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe -Embedding
PID: 3316
Parent PID: 672
Session ID: 0
Auth ID: 00000000:000003e7
Architecture: 64-bit
Virtualized: False
Integrity: System
Started: 2014-04-26 05:21:13 PM
Ended: (Running)

 Having a look at the permissions on the bootmgr.efi.mui files in both referenced locations shows that SYSTEM can only read and execute these files, which is most likely why the update fails.

My machine originally had a local account, and when I installed the 8.1 upgrade it changed my local account to a live account against my wishes. This should not have anything to do with it, as Windows Update does not run as me, right?

Is it safe to change the permissions so that SYSTEM has write access as well?

EDIT: After all this, the solution found here is quite simple: just reboot and only open Windows Update and install the update. It seems some files might have been held by other processes.