Number of Rogue DNS Servers on the Rise

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

read more, submit less

[OrangeTide]

"Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

Re:read more, submit less

[Hamstaus]

The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

Re:if I were to own a rogue DNS server

[KublaiKhan]

I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

Re:Hijack it yourself

[drakyri]

If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

Re:Key word is 'modified'

[TripMaster+Monkey]

Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

DNSSEC provides a solution

The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

Re:if I were to own a rogue DNS server

[Intron]

Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

Re:Speaking of reading more...

[FatdogHaiku]

This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority