Number of Rogue DNS Servers on the Rise

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

certs too

[OrangeTide]

Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

Re:Simple fix for those running Windows?

[mlts]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Hijack it yourself

[RT+Alec]

Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

For PF, it's as simple as:
rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

If you still use IPFilter, use this rule in ipnat.rules:
rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

Sounds like an ISP opportunity

[davidwr]

If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

Useful services to offer:
* net-nanny/thinkofthechildren content blocking
* block known hostile/poisoned sites
* tattletale/reporting
* time-of-day blocking
* login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
* DNS interception/reroute to canonical ISP DNS
* DNS interception/reroute to modified-for-the-customer ISP-provided DNS
* DNS interception blocking DNS to known rogue sites
* much, much more
* Arbitrary, customer-controlled port blocking for inbound and outbound ports

ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

Of course they shouldn't force anyone to use these services if they don't want to.

Is this about OpenDNS redirecting www.Google.com?

Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

Re:if I were to own a rogue DNS server

[KublaiKhan]

With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

Re:Simple fix for those running Windows?

[rwyoder]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Google "DNSsec".

Scary stuff... Could even hit OS X easily

[Tibor+the+Hun]

A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.

What's the best strategy against something like this? Installing apps in ~/Applications vs /Applications ?
Maybe Apple could make that the default behavior, or at least a user preference via Account settings.

Re:Key word is 'modified'

[TripMaster+Monkey]

Well, when I say "host it themselves", I'm pretty sure the proxy machine isn't theirs physically. In all probability, it's another 0wned box, chosen for this role due to its higher specs and fatter pipe. Then, the system can periodically dump the accumulated data to another location (like an obscure newsgroup) for later retrieval.

Re:read more, submit less

[FelixGordon]

Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

Mod Parent Up, Please!

[billstewart]

Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.

That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.

Re:read more, submit less

[NotBorg]

Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the differences between an administrator and non-administrator accounts. In addition, the wizard would assist in creating a non-administrator account and migrating the user's files and settings to it.

Call me crazy, but when I installed Linux it was a natural thing from the get go that I shouldn't do everything as root only things that could not be done otherwise. I don't have to worry much that my host file or DNS settings got owned. Lots of things don't get owned. Windows could be made closer to this.