Buy or Renew
Buy or Renew
NOTICE: OpenDNS Service Currently Not Available To Users In Belgium. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
143
Views
3
Helpful
4
Replies

Constant Adware Being Blocked (geo-um.btrll.com)

immanuelmission
Level 1
Level 1

ā€Ž08-03-2016 10:49 AM

I recently set up OpenDNS on Windows Server 2012 R2 after one of the wireless routers on our network was infected with a virus that sent DOS Attacks to our server. I have been impressed with how well it is working.

Since installing, I have had constant blocks from geo-um.btrll.com. when monitoring the network with wireshark on the server, all PCs on the network are communicating with this host, but no evidence shows up when browsing. Is open DNS blocking re-directs? I have read up that this is what this particular virus does here:

http://pcinfectionskiller.com/how-to-get-rid-of-geo-um-integration-btrll-com-remove-geo-um-integration-btrll-com/

One of the people on the network for personal use said he had a web message that said he had a virus and he should call a number. This is the first thing that comes up when searching for the virus. His laptop is not on the network currently, but requests are still coming from all computers including mine, but I see no evidence of redirects or unknown software or extensions.

Labels:
0 Helpful
4 Replies 4

mattwilson9090
Level 4
Level 4

ā€Ž08-03-2016 05:23 PM

I'm not sure what it is that you're asking for here. OpenDNS does nothing to prevent (or allow) redirects. Being based on recursive DNS all that it really does is provide the "real" IP address of a domain in response to a DNS request, or block it by providing an IP address that points back to one of their "blocked" pages.

If you OpenDNS to stop attacks originating from this domain, it can't do that since DNS (and by extension, OpenDNS) has nothing to do with incoming traffic.

You can however use OpenDNS to blacklist this domain. It won't prevent DNS lookups to the domain, and in fact will likely generate a lot more DNS lookups to that particular domain if something on your network is trying to reach it. However, that will prevent whatever is trying to reach that domain from getting there.

Some of these redirect viruses can be rather persistent, especially if they take the form of rootkits, or install themselves as browser extensions.

The link you provided looks to have some effective mitigations for this virus, although I'm not familiar with any of the software that they suggest downloading and I can't recommend using them. Instead I'd rely on a mix of a solution antivirus solution and a tool such as Malwarebytes in their place.

I have no idea the size of your network, but if every machine on your network (though you didn't say if the server is doing this as well) you have some serious problems. Although tedious and time consuming I'd physically disconnect every machine from the network, then follow the clean up procedures outlined in the link before reconnecting a machine. As you are reconnecting them you should continue monitoring with wireshark to see if the traffic persists.

Again, aside from what I said here, OpenDNS, or this user forum can't do anything for you concerning this other than blacklisting the domain. After that it's a fairly standard IT tasks of cleaning up your network from an infection, but all of that is outside the scope of what this forum can provide to you.

jeff22
Level 1
Level 1

ā€Ž12-13-2016 03:19 PM

My ESET AV is also picking up a certificate warning for geo-um.btrll.com:

support.opendns.com_hc_user_images_0v18KCAXXQLkNIQT7rZhfA.png In case the picture doesn't post, here are the details:

Certificate name - geo-um-btrll.com
Certificate issuer - Cisco Umbrella Secondary SubCA sea-SG

Certificate subject - CN=geo-um.btrll.com, O="OpenDNS, Inc.",L=San Francisco, S=California, C=US

0 Helpful

dts_support
Level 1
Level 1

ā€Ž12-21-2016 03:40 PM

btrll.com appears to be blocked at the adware or security level (certificate issues notwithstanding). We block adware by default, plus the security protection section is pretty well locked down. 

You might find this useful:
https://www.bleepingcomputer.com/forums/t/624560/btrllcom-malware/ 

Personally, I'm pleased to see it get blocked. It annoys me no end to go to a site and see ads directed at me based on recent searches or to a vendor where I already have a relationship. Although in someways it's amusing, it's also concerning. Co-opting an ad feed is an effective way to distribute malware. 

Customers Also Viewed These Support Documents