Fog Creek Software
g
Discussion Board

NewDotNet and vNC

We've encountered an error on a customer's PC that seems to indicate that NewDotNet.dll and VNC are being used together to hack the machine.

However, I can't find much on this subject.

All I can find is:

http://doxdesk.com/parasite/NewDotNet.html
http://www.cexx.org/newnet.htm

Which are both user support sites, which lack the authority sometimes required to act on such things. 

The other reference is what appears to be a rather unsavoury hacker site parading as a 'consultancy'

http://www.fixitright.co.uk/2_hacker_tools.shtml.htm

The tone of this page makes me very nervous.

What I cannot find is an official reference to the exploit.

The Microsoft web site contains this article, which states that older versions can cause problems but does not mention any security risks.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q302463

Does anybody know of any official, reputable sources regarding what looks to be a very dangerous exploit, or has the letigous nature of NewDotNet's distributor scared them all off?

Ged Byrne
Wednesday, December 17, 2003

I've been seeing something similar with SQL server.  This is in a VPN.  I've been getting really strange errors from SQL server having to do with the VNC dll.

christopher baus (www.baus.net)
Wednesday, December 17, 2003

NetDotNet is adware / spyware crap so uninstall it if you can.

DJ
Wednesday, December 17, 2003

Yes, but can NewDotNet be used to run VNC on the computer?

Or is NewDotNet just payload, like VNC?  Should I be looking for something else that did the actual delivery?

Ged Byrne
Wednesday, December 17, 2003

Christopher,

That sounds worrying.

Ged Byrne
Wednesday, December 17, 2003

Yea I know.  Can't figure that one out.  But both the VNC server and SQL server go down at the same time.  The MSSQL server pops up a dialog complaining about the VNC dll.  I don't get it at all. 

christopher baus (www.baus.net)
Wednesday, December 17, 2003

I useful troubleshooting tool is a personal firewall, such as the one from Kerio. After you install it, it will -- by default -- inquire about every incoming and outgoing connection. It takes an hour or two to configure a reasonable policy, and then you get to see what program makes and takes connections, and where from/to.

Of course, if anything looks fishy, you _should_ assume that all of your machines have been rootkitted, and you should trust anything about any of your machines anymore - get a laptop or desktop with two network connections, boot it into Knoppix or MEPIS or a security aware Linux distribution, configure it to route, put it in the middle of a connection, and watch the packets with ethereal (or tcpdump).

Remember what happened in Valve; One can't be too paranoid these days.

OriB.

Ori Berger
Wednesday, December 17, 2003

s/should trust/should NOT trust/g

Ori Berger
Wednesday, December 17, 2003


Install spybot search & destroy - update & clean your system

Spud
Wednesday, December 17, 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q302463

http://www.newdotnet.com/

Just me (Sir to you)
Thursday, December 18, 2003

*  Recent Topics

*  Fog Creek Home