Need help for Blackhole Server

By Bobbye
Sep 21, 2008
Post New Reply
  1. Hopefully someone can direct me to a network person here. I'm helping someone go through their malware logs. This entry is in the HijackThis log:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 169.254.224.189

    The problem I'm having is that this IP is NOT in the Blackhole IP range of:
    * 10.0.0.0 - 10.255.255.255
    * 172.16.0.0 - 172.31.255.255
    * 192.168.0.0 - 192.168.255.255

    The term AutoConfigURL is fine, but the IP isn't. Can someone guide me in how to determine whether this is valid? The user did not configure for Blackhole.

    Thanks.
  2. jobeard

    jobeard TS Ambassador Posts: 13,275   +280

    KB314825 Says
    The address ranges you cite
    * 10.0.0.0 - 10.255.255.255
    * 172.16.0.0 - 172.31.255.255
    * 192.168.0.0 - 192.168.255.255
    are the Private - non-routable IP addresss and these may or may not suffer from the
    "black hole" symptom

    Consider: what happens when your computer asks for an IP address and no one responds?
    Due to a network problem, or maybe not being on a network at all, perhaps there's no DHCP server to hand out IP addresses.

    What happens is this: your machine waits for a while and then gives up.
    But when it gives up it invokes Automatic Private IP Addressing, or APIPA, and
    makes up its own IP address. And those "made up" IP addresses are in the 169.254.x.x range.

    To use ANY of the APIPA addresses, one would need to add routing information
    to the routing table, which is more pain than it's worth, seeing that accessing
    a valid DHCP would have given you back a usable Private - non-Routable address :)
  3. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,392   +35

    Thank you jobeard. I was put off by the "Auto-configure" with the set IP. Isn't it redundant to "auto-configure" a 'made up' IP?
  4. jobeard

    jobeard TS Ambassador Posts: 13,275   +280

    yes, but it's done within the NIC itself by a broadcast of a candidate address to see
    if anyone exists there.
    If not, it's adopted, if so, another is tried.

    the 'interesting part' is the Windows registry entry -- totally bogus and it should (imo)
    NEVER be a 169.254.x.x number.
  5. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,392   +35

  6. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,358   +167

    Bobbye,

    I think i can explain it this way...
    • The IP address you note is an auto-configuration IP within XP. It's used a device wants an IP address and no DHCP service is found
    • Internet Explorer uses Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL as part of its connection data for establishing connections
    • Open an IE window. Click Tools->Internet Options->Connections tab. Now let's tell it some connection data

      • Note the two boxes under Auto Configuration. Note you can give it an "Automatic configuration script" which can be an address.
        • Could be dangerous if it points to malware!
        • But go ahead and enter an address there 169.254.2.2. Click OK, OK
        • Now look at the registry value for the AutoConfigURL you're concerned about. It should reflect what you entered! which would put IE into a DHCP auto-configure mode like anything else on your lan
    So this type of setup would be normal
  7. jobeard

    jobeard TS Ambassador Posts: 13,275   +280

    hum; the 169.254.x.x will almost never network correctly.
    Here's what I have (that works :) )
    Code:
    HKEY_CURRENT_USER\Software\TOSHIBA\ConfigFree\Profiles\0000\Internet, 
    
    HKEY_CURRENT_USER\Software\TOSHIBA\ConfigFree\Profiles\0001\Internet
    
    HKEY_USERS\S-1-5-21-329068152-602609370-725345543-1007\Software\TOSHIBA\ConfigFree\Profiles\0000\Internet
    
    HKEY_USERS\S-1-5-21-329068152-602609370-725345543-1007\Software\TOSHIBA\ConfigFree\Profiles\0001\Internet
    
    [COLOR="Red"]ALL AutoConfigURL Reg_SZ <empty>[/COLOR]
    
  8. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,358   +167

    Hmm... Didn't mean to imply that setting AutoConfigURL to 169.xxx.xx.xxx was sufficient (or right/best way) to get a connection if that's how it read

    But rather, was trying to address Bobbye's concern of AutoConfigURL use or misuse and how an IP address 169.254.xxxx.xxxx might fit in

    Hi-lighting

    1. it's connection config data for IE and can be demonstrated via the IE user interface
    2. If iAutoConfigUrl was pointing to another network or web site or anywhere unknown could be (should be) reason for concern
    3. But of no threat/concern if it happens to be pointing to 169.254.xxx.xxx
  9. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,358   +167

    Well, i think "i;ve connected the dots" (even a guess at how the AutoConfigURL value of 169.254.xx.xx came about)

    I rebooted this morning. Nothing unusual about that. Except 15 minutes after, i remembered my IE was still using the bogus settings from yesterday (when had looked into Bobbye's question)

    And i was online and connected. No problems. I checked and, sure enough
    • My IE Connection User Interface setting still shows 169.254.2.2 (attached snapshot)
    • My HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL still = 169.254.2.2
    Being technically curious i dug deeper and went through all the Microsoft product and technical documentation i could find and thought relevant.

    • The "AutoConfig" red herring!
      Appears we were all thrown off a bit when associating the key AutoConfigURL with an XP 169.254.xx.xx autoconfiguration address
      They are both "autoconfig" thingies but have little overlap other then by name
    • AutoConfigURL is to help manage IE Remote Installations
      Such as for Corporate customers who setup IE for employees or an ISP who configures IE for their customers. Typically done with the "Internet Explorer Administration Kit 7 "(IEAK 7) which also makes use of the registry key
    • AutoConfigURL value should point to a server with .ins installation files
      The .ins files are responsible for remotely installing IE settings
    So.....
    • AutoConfigURL = 169.xxx.xxx.xxx is definitely not malware
    • If AutoConfigURL = 169.xxx.xxx.xxx exists along with manual settings it's more like a "no-op" machine command, i.e. does nothing. If the ip address can't reach a server to get .ins files it can only fall back to any manual or default settings.
    • In cases like this, the AutoConfigURL key can (should) just be deleted

    Given all this, i'd guess it likely
    • someone at the workstation was trying to get their computer (and IE) to connect
    • They stumbled into IE's user interface for autoconfiguration setup
    • They noted the similar naming (like we did) so just happened to try assigning the same autoconfig IP address that saw was being assigned to the workstation
  10. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,392   +35

    Well, we have likely totally confused the person asking the question! I do not have the 'auto-configure- LAN checked or IP entered.

    With help from Wiki, on the best 'non-technical' explanation I could fine:
    I specifically asked this person:
    The answer was:
    The AutoConfig with the set IP should be removed under this circumstance. I understand the application and it doesn't not warrant the IP that is entered, not by the user. How can you justify setting something that is suppose to be random?
  11. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,358   +167

    Apologies for any confusion. You were trying to understand the validity of the key and its assigned value. Yesterday’s post was only trying to
    • explain the value that appeared: 169.xxx.xxx.xxx value as an autoconfiguration IP
    • Tried to demonstrate the key’s usage and a method by which it can be set: Using IE’s user interface to assign an autoconfiguration address
    With that said my intent (and realizing not well presented) intent
    • Was showing how the key can be set from a user interface to help understand the key and the impact of any value
    • I wasn’t saying that's the ONLY possible way to set the key(lord knows there are always a dozen different ways in Windows).
    • Nor was I trying to provide a user manual on how to properly configure someone’s IE connections for autoconfiguration
    • I tried indicating a value of 169.xxx.xxx.xxx was an autoconfiguration address and didn’t represent malware
    • But in re-reading my own post, I saw I only focused on whether it was dangerous vs. non-dangerous and yes, you’re correct the key should just be removed. i had added that fact to my post this morning

    And related to my post this morning
    Please re-read my post from this morning. This value is not set at random nor has anything to do with AutoConfiguring IP addresses.

    We all (or at least i did) saw AutoConfig in AutoConfigUrl, saw a 169.xxxx value and assumed it had something to do with DHCP and auto-IP configuration. It does not.

    It has everything to do with IE7 and IEAK7 (Internet Explorer Adminstration Kit 7) for Remote Installations. You can find matching documentation about AutoConfigURL in Windows XP IE documentation.

    And absolutely agree the key should be deleted but based on what i now know on how it's set/used for am guessing someone actually did set it manually trying to fix their internet connection. (There's no value for malware to set it to a 169. address) But that's pure speculation and in any case the key should be deleted.
     
  12. jobeard

    jobeard TS Ambassador Posts: 13,275   +280

    Whereas the creation of the Automatic Private IP Addressing, or APIPA is in the hardware,
    it is defacto not implicitly associated with any servce. Notice also it's in the
    Private range, which means it does not route.

    With understanding of routing tables, one can make these addresses operate on your
    LAN subnet, but it's just not worth the effort.
  13. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,392   +35

    So no one will say 'remove it' except me! Some of this is over my head. But I read all the replies and thank you. I told the user to have HijackThis remove the entry. Considering the term 'autoconfig'+ the set IP+ the IP out the the noted ranges, it seemed the prudent thing to do.
  14. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,358   +167

    As of this morning's post (after researching AutoConfigURL) i've said definitely remove it.

    AutoConfigURL) is supposed to point to a server which has Microsoft .ins files which are used to remotely configure Internet Explorer

    That key having an autoconfig IP address makes no sense.

    And some of the confusion arises by MS simliar use of terminology. The AutoConfigURL has nothing to do with autoconfig IP's other then they both start with AutoConfig.

    Similar names.. DIFFERENT functionality. Current key value makes no sense at all. Is harmless. But makes no sense.

    /************** EDIT **********************/
    And since makes no sense (even for malware to set it makes no sense) is my pure speculation that since it's settable via the IE user interface.. someone trying to get their computer internet connection working happened to find that IE interface and entered their computer's IP address. Which wasn't connecting so it had been assigned an autoconfig IP which is what someone copied. Oh. and never with the intention or any concept of "Blackholes"


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.