Slashdot Mirror

← Back to Stories (view on slashdot.org)

Number of Rogue DNS Servers on the Rise

Posted by Zonk on from the servers-what-fib dept.

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

15 of 154 comments (clear)

  1. Simple fix for those running Windows? by HeliosTrick · · Score: 2, Informative

    netsh interface ip set dns "Local Area Connection" static 4.2.2.4
    netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

    Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...

  2. read more, submit less by OrangeTide · · Score: 4, Informative

    "Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:read more, submit less by Hamstaus · · Score: 5, Informative

      The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

      --
      I moderate "-1, Fool"
    2. Re:read more, submit less by NnT042 · · Score: 2, Informative

      I don't know if the situation has improved any in Vista, but as far as XP goes there are a LOT of programs you simply can't use that way. I run as admin constantly, and with a full awareness of how dangerous it is. At least a third of the programs I use, poorly written as they are, try to do things like save configuration files (or saved games) in their installation folder. Unfortunately limited accounts are not allowed write access to Program Files, and there is no getting these boneheads to RTFM and learn what %AppData% is for. So like it or not, I'm Admin.

      I tried Vista, and reverted the next day - couldn't stand it. No telling if they've fixed this problem or managed to beat some sense into the developers yet, and I don't know if/when it will be necessary for me to find out.

    3. Re:read more, submit less by TheThiefMaster · · Score: 2, Informative

      I run as a "Power User" on XP. No permission to install or write to the Windows folder, but can write to Program Files.

      Seems a good compromise.

  3. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 5, Informative

    I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

    Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
  4. Re:Suddenly, by cheater512 · · Score: 2, Informative

    Even SSL fails with this method of attack.
    Too many ways to add a new root certificate.

  5. Re:Hijack it yourself by drakyri · · Score: 3, Informative

    If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

    Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

  6. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 3, Informative

    Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  7. DNSSEC provides a solution by Anonymous Coward · · Score: 5, Informative

    The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

  8. Re:if I were to own a rogue DNS server by Intron · · Score: 3, Informative

    Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

    --
    Intron: the portion of DNA which expresses nothing useful.
  9. Re:Suddenly, by Fred_A · · Score: 2, Informative

    Even SSL fails with this method of attack.
    Too many ways to add a new root certificate. You'd have to edit the cache so that the new key matches though (because it won't be the same one).
    --

    May contain traces of nut.
    Made from the freshest electrons.
  10. Re:Speaking of reading more... by FatdogHaiku · · Score: 3, Informative

    This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
    Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  11. Re:Is this about OpenDNS redirecting www.Google.co by fhic · · Score: 2, Informative

    Yeah, actually this is *exactly* why I use OpenDNS.

    As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22/google-turns-the-page/

    So, AC, do you work for Google or Dell? Shame on you in either case for spreading this FUD. If you work for Google, even more shame for violating the "don't be evil" policy. Because this is pretty fucking evil, and trying to convince people not to use OpenDNS because of it is even more evil.

  12. Re:Sounds like an ISP opportunity by Klaus_1250 · · Score: 2, Informative

    OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.

    --
    It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.