Need help for Blackhole Server

[Bobbye]

Hopefully someone can direct me to a network person here. I'm helping someone go through their malware logs. This entry is in the HijackThis log:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 169.254.224.189

The problem I'm having is that this IP is NOT in the Blackhole IP range of:
* 10.0.0.0 - 10.255.255.255
* 172.16.0.0 - 172.31.255.255
* 192.168.0.0 - 192.168.255.255

The term AutoConfigURL is fine, but the IP isn't. Can someone guide me in how to determine whether this is valid? The user did not configure for Blackhole.

Thanks.

 

[DelJo63]

KB314825 Says

On a TCP/IP-based wide area network (WAN), communication over some routes may fail if an intermediate network segment has a maximum packet size that is smaller than the maximum packet size of the communicating hosts--and if the router does not send an appropriate Internet Control Message Protocol (ICMP) response to this condition or if a firewall on the path drops such a response. Such a router is sometimes known as a "black hole" router.

The address ranges you cite

* 10.0.0.0 - 10.255.255.255
* 172.16.0.0 - 172.31.255.255
* 192.168.0.0 - 192.168.255.255
​

are the Private - non-routable IP addresss and these may or may not suffer from the
"black hole" symptom

Consider: what happens when your computer asks for an IP address and no one responds?
Due to a network problem, or maybe not being on a network at all, perhaps there's no DHCP server to hand out IP addresses.

What happens is this: your machine waits for a while and then gives up.
But when it gives up it invokes Automatic Private IP Addressing, or APIPA, and
makes up its own IP address. And those "made up" IP addresses are in the 169.254.x.x range.

To use ANY of the APIPA addresses, one would need to add routing information
to the routing table, which is more pain than it's worth, seeing that accessing
a valid DHCP would have given you back a usable Private - non-Routable address

 

[Bobbye]

Thank you jobeard. I was put off by the "Auto-configure" with the set IP. Isn't it redundant to "auto-configure" a 'made up' IP?

 

[DelJo63]

yes, but it's done within the NIC itself by a broadcast of a candidate address to see
if anyone exists there.
If not, it's adopted, if so, another is tried.

the 'interesting part' is the Windows registry entry -- totally bogus and it should (imo)
NEVER be a 169.254.x.x number.

 

[Bobbye]

Okay, should it or should it not be removed?! Here's the thread- can you guide me here?

https://www.techspot.com/vb/topic112322.html

Thanks.

 

[LookinAround]

Bobbye,

I think i can explain it this way...

• The IP address you note is an auto-configuration IP within XP. It's used a device wants an IP address and no DHCP service is found
• Internet Explorer uses Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL as part of its connection data for establishing connections
• Open an IE window. Click Tools->Internet Options->Connections tab. Now let's tell it some connection data
  • 
    Note the two boxes under Auto Configuration. Note you can give it an "Automatic configuration script" which can be an address.
    • Could be dangerous if it points to malware!
    • But go ahead and enter an address there 169.254.2.2. Click OK, OK
    • Now look at the registry value for the AutoConfigURL you're concerned about. It should reflect what you entered! which would put IE into a DHCP auto-configure mode like anything else on your lan

So this type of setup would be normal

 

[DelJo63]

hum; the 169.254.x.x will almost never network correctly.
Here's what I have (that works )

HKEY_CURRENT_USER\Software\TOSHIBA\ConfigFree\Profiles\0000\Internet, 

HKEY_CURRENT_USER\Software\TOSHIBA\ConfigFree\Profiles\0001\Internet

HKEY_USERS\S-1-5-21-329068152-602609370-725345543-1007\Software\TOSHIBA\ConfigFree\Profiles\0000\Internet

HKEY_USERS\S-1-5-21-329068152-602609370-725345543-1007\Software\TOSHIBA\ConfigFree\Profiles\0001\Internet

[COLOR="Red"]ALL AutoConfigURL Reg_SZ <empty>[/COLOR]

 

[LookinAround]

Hmm... Didn't mean to imply that setting AutoConfigURL to 169.xxx.xx.xxx was sufficient (or right/best way) to get a connection if that's how it read

But rather, was trying to address Bobbye's concern of AutoConfigURL use or misuse and how an IP address 169.254.xxxx.xxxx might fit in

Hi-lighting

1. it's connection config data for IE and can be demonstrated via the IE user interface
2. If iAutoConfigUrl was pointing to another network or web site or anywhere unknown could be (should be) reason for concern
3. But of no threat/concern if it happens to be pointing to 169.254.xxx.xxx

 

[LookinAround]

Well, i think "i;ve connected the dots" (even a guess at how the AutoConfigURL value of 169.254.xx.xx came about)

I rebooted this morning. Nothing unusual about that. Except 15 minutes after, i remembered my IE was still using the bogus settings from yesterday (when had looked into Bobbye's question)

And i was online and connected. No problems. I checked and, sure enough

• My IE Connection User Interface setting still shows 169.254.2.2 (attached snapshot)
• My HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL still = 169.254.2.2

Being technically curious i dug deeper and went through all the Microsoft product and technical documentation i could find and thought relevant.

• The "AutoConfig" red herring!
  Appears we were all thrown off a bit when associating the key AutoConfigURL with an XP 169.254.xx.xx autoconfiguration address
  They are both "autoconfig" thingies but have little overlap other then by name
• AutoConfigURL is to help manage IE Remote Installations
  Such as for Corporate customers who setup IE for employees or an ISP who configures IE for their customers. Typically done with the "Internet Explorer Administration Kit 7 "(IEAK 7) which also makes use of the registry key
• AutoConfigURL value should point to a server with .ins installation files
  The .ins files are responsible for remotely installing IE settings

So.....

• AutoConfigURL = 169.xxx.xxx.xxx is definitely not malware
• If AutoConfigURL = 169.xxx.xxx.xxx exists along with manual settings it's more like a "no-op" machine command, i.e. does nothing. If the ip address can't reach a server to get .ins files it can only fall back to any manual or default settings.
• In cases like this, the AutoConfigURL key can (should) just be deleted

Given all this, i'd guess it likely

• someone at the workstation was trying to get their computer (and IE) to connect
• They stumbled into IE's user interface for autoconfiguration setup
• They noted the similar naming (like we did) so just happened to try assigning the same autoconfig IP address that saw was being assigned to the workstation

 

[Bobbye]

Well, we have likely totally confused the person asking the question! I do not have the 'auto-configure- LAN checked or IP entered.

With help from Wiki, on the best 'non-technical' explanation I could fine:

Auto-configuration is the automatic configuration of devices without manual intervention, without any need for software configuration programs or jumpers.

DHCP provides three modes for allocating IP addresses. The best-known mode is dynamic, in which the client is provided a "lease" on an IP address for a period of time.

The two other modes for allocation of IP addresses are automatic (also known as DHCP Reservation), in which the address is permanently assigned to a client, and manual, in which the address is selected by the client (manually by the user or any other means) and the DHCP protocol messages are used to inform the server that the address has been allocated.

Wherever possible, DHCP-assigned addresses should be dynamically linked to a secure DNS server, to allow troubleshooting by name rather than by a potentially unknown address.

The DHCP server ensures that all IP addresses are unique, i.e., no IP address is assigned to a second client while the first client's assignment is valid

I specifically asked this person:

Have you intentionally set to use the BlackHole server?

The answer was:

I have no idea what this Blackhole thing is or how to get rid of it.

The AutoConfig with the set IP should be removed under this circumstance. I understand the application and it doesn't not warrant the IP that is entered, not by the user. How can you justify setting something that is suppose to be random?

 

[LookinAround]

The term AutoConfigURL is fine, but the IP isn't. Can someone guide me in how to determine whether this is valid? The user did not configure for Blackhole.

Apologies for any confusion. You were trying to understand the validity of the key and its assigned value. Yesterday’s post was only trying to

• explain the value that appeared: 169.xxx.xxx.xxx value as an autoconfiguration IP
• Tried to demonstrate the key’s usage and a method by which it can be set: Using IE’s user interface to assign an autoconfiguration address

With that said my intent (and realizing not well presented) intent

• Was showing how the key can be set from a user interface to help understand the key and the impact of any value
• I wasn’t saying that's the ONLY possible way to set the key(lord knows there are always a dozen different ways in Windows).
• Nor was I trying to provide a user manual on how to properly configure someone’s IE connections for autoconfiguration
• I tried indicating a value of 169.xxx.xxx.xxx was an autoconfiguration address and didn’t represent malware
• But in re-reading my own post, I saw I only focused on whether it was dangerous vs. non-dangerous and yes, you’re correct the key should just be removed. i had added that fact to my post this morning

And related to my post this morning

I understand the application and it doesn't not warrant the IP that is entered, not by the user. How can you justify setting something that is suppose to be random?

Please re-read my post from this morning. This value is not set at random nor has anything to do with AutoConfiguring IP addresses.

We all (or at least i did) saw AutoConfig in AutoConfigUrl, saw a 169.xxxx value and assumed it had something to do with DHCP and auto-IP configuration. It does not.

It has everything to do with IE7 and IEAK7 (Internet Explorer Adminstration Kit 7) for Remote Installations. You can find matching documentation about AutoConfigURL in Windows XP IE documentation.

And absolutely agree the key should be deleted but based on what i now know on how it's set/used for am guessing someone actually did set it manually trying to fix their internet connection. (There's no value for malware to set it to a 169. address) But that's pure speculation and in any case the key should be deleted.

 

[DelJo63]

Whereas the creation of the Automatic Private IP Addressing, or APIPA is in the hardware,
it is defacto not implicitly associated with any servce. Notice also it's in the
Private range, which means it does not route.

With understanding of routing tables, one can make these addresses operate on your
LAN subnet, but it's just not worth the effort.

 

[Bobbye]

So no one will say 'remove it' except me! Some of this is over my head. But I read all the replies and thank you. I told the user to have HijackThis remove the entry. Considering the term 'autoconfig'+ the set IP+ the IP out the the noted ranges, it seemed the prudent thing to do.

 

[LookinAround]

As of this morning's post (after researching AutoConfigURL) i've said definitely remove it.

AutoConfigURL) is supposed to point to a server which has Microsoft .ins files which are used to remotely configure Internet Explorer

That key having an autoconfig IP address makes no sense.

And some of the confusion arises by MS simliar use of terminology. The AutoConfigURL has nothing to do with autoconfig IP's other then they both start with AutoConfig.

Similar names.. DIFFERENT functionality. Current key value makes no sense at all. Is harmless. But makes no sense.

/************** EDIT **********************/
And since makes no sense (even for malware to set it makes no sense) is my pure speculation that since it's settable via the IE user interface.. someone trying to get their computer internet connection working happened to find that IE interface and entered their computer's IP address. Which wasn't connecting so it had been assigned an autoconfig IP which is what someone copied. Oh. and never with the intention or any concept of "Blackholes"