DNS Unlocker ads #2

In my quest to find the cause(s) for these DNS Unlocker ads, I found Steve Gibson's DNS Nameserver Spoofability Test to test my DNS.

This can identify any DNS issues that could cause these DNS Unlocker ads to be injected into sites you visit.

DNS Unlocker ads

It seems like DNS Unlocker ads injected into websites you visit is a big issue at the moment. I've seen them on site I visited, some other people I know have also experienced them.

All the resolution links I've seen seems to have the same procedure, and if none of the first couple detection methods work they have a tool to download. Now I've not tried any of those so-called tools, but I have a suspicion that these 'tools' might actually put you in a worse position than what you were in.

How do you get the ads? 
They seem to be injected by a rogue google analytics script. From looking at other sources on the web it looks like DNS poisoning takes place somewhere upstream from my pc, which causes a DNS lookup for www.google-analytics.com to return the address of a rogue server posing as the real thing. This script injects another script from hosts on the dnsqa.me domain, which injects scripts which injects the ads into the page you are viewing.

How do you get rid of it? 
On my machine no actual DNS Unlocker software got installed, and my DNS settings were also not changed. I ran Malware Bytes as well as AdwCleaner to scan for malware, they found a few cookies and cached pages but no actual installed malware that had to be removed. I also did a Reset in Chrome, which clears cache, disables extensions and clears history. After this I still got the ads from time to time. Installing Malware Bytes and activating the 14day Premium trial certainly picks up these rogue scripts and prevents them from being injected. I also installed AdBlock in Chrome and configured it to block all access to *.dnsqa.me and *.google-analytics.com, to prevent the malware from being injected by any of those two avenues.

Other possibilities
If you router still has the default password, it is possible that some application you installed could connect to the router and change the DNS settings. It is also possible that an application can change the DNS settings on your machine itself. Check both these locations to make sure that the DNS settings are configured to use automatic provided values, or if you manually configured DNS servers like OpenDNS, etc that they are still intact. If the DNS on your router was changed, make sure to change the default admin password on your router.

Different Ways to prevent the injection
Install Malware Bytes and active the 14-day Premium trial
Install the AdBlock extension in Chrome
Configure OpenDNS as DNS provider.

Client certificate validation issues - WCF

We encountered an issue using client certificate authentication with a client certificate issued by a CA in the Trusted Root CA store.

The client certificate chain is valid when opening it on the server, showing the whole chain. When attaching it to a request the request would be rejected with response code 403 - Forbidden. Looking at the System eventlog for SChannel errors showed nothing.

Eventually we switched on WCF tracing, and found the following in the trace:

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <TraceIdentifier>http://msdn.microsoft.com/en-ZA/library/System.ServiceModel.Channels.HttpsClientCertificateInvalid.aspx</TraceIdentifier>
    <Description>Client certificate is invalid with native error code 0x2013 (see http://go.microsoft.com/fwlink/?LinkId=187517 for details).</Description>
    <AppDomain>MyApp.exe</AppDomain>
    <Source>System.ServiceModel.Channels.HttpsChannelListener`1[System.ServiceModel.Channels.IReplyChannel]/30640645</Source>
    <ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/HttpRequestTraceRecord">
        <Headers>
            <SOAPAction>"Authorize"</SOAPAction>
            <Connection>Keep-Alive</Connection>
            <Content-Length>1281</Content-Length>
            <Content-Type>text/xml;charset=UTF-8</Content-Type>
            <Accept-Encoding>gzip,deflate</Accept-Encoding>
            <Host>MyAppURL</Host>
            <User-Agent>Apache-HttpClient/4.1.1 (java 1.5)</User-Agent>
        </Headers>
        <Url>https://MyAppURL</Url>
    </ExtendedData>
</TraceRecord>

Searching on Google brought us no closer, eventually I found an old link I've used before under different but related circumstances.http://code-clarity.blogspot.com/2012/06/how-to-troubleshoot-ssltsl-or-x509.html. I enabled CAPI2 logging in the Event Viewer, and saw entries containing the following:

<RevocationInfo>
  <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
  </RevocationInfo>

 <TrustStatus>
  <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
  <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
  </TrustStatus>

<CertVerifyRevocation>
  <Certificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <Flags value="0" />
  <AdditionalParameters timeToUse="2015-08-12T07:58:21.234Z" currentTime="2015-08-12T07:58:21.234Z" urlRetrievalTimeout="PT15S" />
  <RevocationStatus index="0" error="80092013" reason="0" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="5" />
  <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
  </CertVerifyRevocation> 

To identify which URLs are not accessible, look for entries like these:

<CertRejectedRevocationInfo>
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://ocsp.trustwave.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEEssZkb0NHdbZ980oE3VBOY%3D</URL>
  <EarliestOnlineTime>2015-08-12T08:15:03.729Z</EarliestOnlineTime>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="3" />
  </CertRejectedRevocationInfo> 

<CertRejectedRevocationInfo>
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://crl.trustwave.com/STCA.crl</URL>
  <EarliestOnlineTime>2015-08-12T08:15:04.759Z</EarliestOnlineTime>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="4" />
  </CertRejectedRevocationInfo> 

Make sure that the URL(s) in the log entries are accessible, this should sort out the issue.

Help! I've imported a certificate using the mmc snap-in and it is not associated with a private key!

Dont' fear, use the following command to fix the associating:

certutil -repairstore my "certificate serialnumber"

After this step refresh the view in mmc, a key should now be displayed as part of the certificate icon