It turns out Europe doesn't hate me after all

I have had an intermittent issue with accessing .co.uk websites. I haven't dealt with it as I was only reminded of it during the times I would be on Fark. It became one of those issues where I'll remember to deal with it in the morning since I usually do my time wasting at night. The last thing I want to do is track down a name resolution problem. As it turns out, as it can many times, the symptoms I experienced were one of many that was actually part of a larger issue. It's actually an issue with Top Level Domains. I found the answer with the always helpful SBS server blog. Iam using Small Business Server 2008 but it applies to all 2008 server editions providing the DNS role.

The official answer is "When the DNS server saves the NS records to the cache, the TTL for the A (Glue) record gets changed to be 1 day. The TTL for the NS Record stays at 2 days. When the A records expire, the DNS server starts returning a "Server Failure" response to the client that issues the dns query"

The resolution is as pointed out in KB 968372

1. Start Registry Editor (regedit.exe).

2. Locate the following registry key:

3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

4. On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:


Value: MaxCacheTTL


Data Type: DWORD


Data value: 2A300 (172800 seconds in decimal, or 2 days) (the KB says to use 0x2A300 but you'll find it won't accept that)

5. Click OK.

6. Quit Registry Editor.

7. Restart the DNS Server service

How did I get it?

Today we cover the question of how viruses are spread and how you catch them. Upon actually sitting down to write, I remembered just how much needs to be conveyed when it comes to malicious software. So, we are going to spread this subject over several posts.

The first major way viruses spread is through security holes.

Security holes are what you read about most often in the news. Virus writers find holes in the programming of an operating system that allows malicious code to enter the system. Worms are the most common type of virus to use this method. The core purpose of worm is to replicate itself to other machines on a network. Remember that network also includes the Internet. It propagates itself by searching out other computers with the same security hole or emailing itself from the infected host. By itself, the normal results of a worm is the consumption of bandwidth. Basically it causes a traffic slowdown or Denial Of Service (DOS).

Few pure worms exist, normally they also have a payload attached to them. Recent ones of note are Nimda, Code Red and Code Red 2, and Sasser.

Botnets are often created thru worms. Botnets are infected machines where the payload allows remote control of the machine. Besides the normal bandwith consumption of replication as mentioned earlier, botnets become a zombie army of infected machines. An individual on a controller machine now has the ability to harness the power of thousands of machines to perform a specific task. A simple command can cause the controlled machines to email or send information packets at a specific target. Be a company, government agency, or Internet Service Provider. You can read more about Denial of Service and recent attacks here

Viruses. Why do they do it?

I get a lot of questions from questions from customers that I am happy to answer. The three most common are related to viruses.

Why do they (virus writers) do this?

How did I get it?

How do I prevent this from happening again?

We'll take them in order over the coming days. Today we cover the 'why' question.

The short answer is that there is money to be made. A lot of it. Long gone are the days where a viruses sole purpose is to eject your CD-Rom drive or cause your keyboard to type incorrect letters. Data and information is the commodity of the Internet age.

Viruses are appropriately named and very analogous to human viruses. They spread from one place to another, repeating their process again and again. Somebody (actually many somebodies) have the cold right now. Somebody (several million somebodies) are infected with computer viruses right now. From experience cleaning them, those infected computers have multiple viruses at one time.

Theft of information on the Internet requires a new level of thinking in scale and purpose. Many people's concept of stealing a Credit Card is still centered on one person targeting another in a one on one situation as it is done the 'real' world. Viruses are automated thieves running 24/7. The number of active viruses out there broke the one million mark in 2008. That is just the number of active viruses. In Panda Security's 2009 report, they stated that their virus library over the past 20 years has reached 40 million samples. That's 40,000,000. Most of them occurring in the past decade. That's a lot of viruses moving through a lot of computers at any given time.

Identities, Credit Card numbers, login information, passwords, and company data are bought and sold every minute. The number affected is in the millions each year and rising. Credit Cards can be bought for pennies when purchased in bulk on the black market. Bank account numbers and credentials usually cost more due to their usable lifespan before detection of the theft. Sometimes in the thousands of dollars.

Corporations and Government agencies have data that is target for theft. The James Bond of today is also a virtual one stealing intelligence information. Think of all the new technology that comes out yearly. Profits in the billions for the right new technology or insider trading tip.

In our next post we will cover how infections are spread