Slashdot Mirror
Number of Rogue DNS Servers on the Rise
bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"
Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.
“Common sense is not so common.” — Voltaire
SSL
netsh interface ip set dns "Local Area Connection" static 4.2.2.4
netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2
Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...
"Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.
“Common sense is not so common.” — Voltaire
So will that server have the real URL for a legit site and then be able to fake you out? Also when is this internet 2 that I hear about all the time gonna come out. I like the ideas of a newer, faster, sexier (I dunno how it would be sexier...) internet that has more control over content allowed in and services, etc etc.
To see a few of my Android apps goto: www.hartwired.com
After all, one must set your computer to use one of those servers.
I can think of a few possible ways to do this--a worm that modifies default-passworded routers, for instance, would be capable of modifying DNS entries at the router level--but is there an easy exploit to do so at the end-user's computer? Or a method of modifying the DNS via a browser window?
In Xanadu did Kubla Khan
A stately pleasure dome decree
You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...
I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
So we have to know exactly which DNS to use then. This is not good, most people don't know and don't care to find out about such things. But a computer has to be infected in the first place for DNS to be spoofed, so as long as there are no infected computers... oh...
You can't handle the truth.
I don't know how this would happen, but there was a brief time (about 3 days, before the software warned me it needed to update) that my antivirus software update servers were pointed to localhost using my hosts file. This was a bit disconcerting for me, given that there is no way someone should have been able to pull off that hack, without knowing exactly what AV software I use and have access to my hosts file. Funny thing is, it only affected one of the four computers on my network, all of which run the same AV software.
.sig
Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).
For PF, it's as simple as:
rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53
If you still use IPFilter, use this rule in ipnat.rules:
rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp
I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.
Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...
If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.
A cleaning service would act like a deep-packet-inspection router but at the ISP head end.
Useful services to offer:
* net-nanny/thinkofthechildren content blocking
* block known hostile/poisoned sites
* tattletale/reporting
* time-of-day blocking
* login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
* DNS interception/reroute to canonical ISP DNS
* DNS interception/reroute to modified-for-the-customer ISP-provided DNS
* DNS interception blocking DNS to known rogue sites
* much, much more
* Arbitrary, customer-controlled port blocking for inbound and outbound ports
ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.
Of course they shouldn't force anyone to use these services if they don't want to.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...
With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.
In Xanadu did Kubla Khan
A stately pleasure dome decree
If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.
Otherwise, I'll have to use someone else's DNS or do without.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
/Applications ?
Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.
What's the best strategy against something like this? Installing apps in ~/Applications vs
Maybe Apple could make that the default behavior, or at least a user preference via Account settings.
If you don't know what AltaVista is (was), get off my lawn.
Ooooh, you cannot reach me now
Ooooh, no matter how you try
Goodbye, cruel 'Net, it's over
Surf on by.
Sitting in a bunker here behind fire-wall
Waiting for the worms to come.
In perfect isolation here behind fire-wall
Waiting for the worms to come.
We're {waiting to succeed} and going to convene outside Pharmington
Dot Com where we're going to be...
Waiting to infect their PC.
Waiting to read all their e-mail.
Waiting to follow the worms.
Waiting to set up fake bank sites.
Waiting to update the rootkits.
Waiting to smash in their windows
And change their config.
Waiting for the final solution
To "clean up" this strain.
Waiting to follow the worms.
Waiting to gather their idents
And pretend to be them.
Waiting for windows based desktops
and laptops and cell phones.
Waiting to follow the worms.
Would you like to see deposits
bank, again, my friend?
All you have to do is follow the worms.
Would you like to send your credit rating
Home to me, my friend?
All you need to do is follow the worms.
If you mod me down, I shall become more powerful than you could possibly imagine.
I understand your point, but this was clearly a targetted attack - no other servers were listed, the only entries in my hosts file were the ones I had inserted and the four AV servers. In addition, I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir. It is primarily unheard of in North America, although it is, hands down, the best AV software I have ever used (or at least since the days of F-Prot for DOS). This is why it baffled me so much. If you were to write a worm to modify the hosts file, why not make it for one of the big-name AV programs? Or, as mentioned, why not make it for as many as you can think of?
.sig
So far, so nothing much. However, it's the first response to queries that matters, not who responds. So if your DNS has false entries for other sites, and those entries get back before the real ones do, then the query will return the false results. Oh, I've made use of this feature in helpful ways. I had a problem with an associated group having an unstable DNS server. This made establishing connections unreliable, so I simply transferred the zone to my own DNS server, which (naturally) I'd set up rather better. Problem solved. Totally unassociated network, but DNS just doesn't give a damn.
A malicious person who had the means of poisoning caches or corrupting local entries can use this exact same property to return falsified records for other servers. Any server could be modified to claim to be such-and-such a machine. Makes no odds that it's on a different network, it only has to get the response to the target machine first. You've then got a way of carrying out phishing scams in which the hostname is genuinely fine but the machine that it points to could be anything and anywhere.
DNS has optional security and authentication mechanisms, but nobody uses them so they don't make a difference. Only one infiltrated DNS system would be enough to cause problems, but tens of thousands pushes the problem into the high risk arena.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
True. Many normal users worry about securing their systems, but they completely forget about their routers.
Of course, unless they've enabled remote administration, you wouldn't be able to access the router from outside the user's home LAN. That's where hacking the wireless connection comes in. ^_^
____
~ |rip/\/\aster /\/\onkey
The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving. I'm sure you'd be intelligent enough to clear out the router logs, but if someone else manages to get the machines themselves on the network infected with a DNS server attack, that's going to override your own.
How are sites slashdotted when nobody reads TFAs?
just block outgoing dns requests from your lan interface, secure your router and make everything on your network use 10.0.0.1 (or whatever) for dns...
Perhaps there's a vulnerability in that particular platform that lends itself to spreading something in particular?
;-p
Or perhaps the author of the exploit wishes to spread things in a subtle manner, so as to delay discovery of their malware?
Or maybe someone's after you. Check your tinfoil hat.
In Xanadu did Kubla Khan
A stately pleasure dome decree
The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.
Do it via the usual means, then--the browser hijack, or the email trojan, or whatever else you'd want to use.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Really, think about this. The internet is a zillion of network devices attached. Don't you agree you can create a rogue DNS server just as easy as creating a rouge router. It comes down to how much homework you did when choosing your ISP.
Once you've got the router infected, you could use your new control over domains to inject other things to infect the machines, I suppose.
Or do it in reverse order, and get the machine first and the router after--so even if they fix their machine, on the next resynchronization they'd be hijacked again.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.
Intron: the portion of DNA which expresses nothing useful.
Dont you have to be kinda stupid to fall for that?
Well now, that is informative. I'm glad to hear that it was likely this, rather than a virus, although concerned that someone other than me (with that amount of technical knowledge, my gf is non-technical) was using my computer. Regardless, I will gladly take the benefit of having automatic updates over the cost of having a single advertisement a day for the free version; I don't mind the ads at all, and it's not browser-based ads, so I have no complaints. Anyhow, removing the offending hosts entries solved my problem and I was off to the races again.
.sig
and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.
Enlightenment? It's just a flush in the pan.
If you can find them, and count them, why can't you kill them off as well?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Because I use OpenDNS I figured I'd look into this. Apparently the intent of this was to prevent spyware on some Dell computers from completely filling up any typoed addresses with ads. This link goes into more detail:
http://blog.opendns.com/2007/05/22/google-turns-the-page/
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Your ISP's server could also do a zone transfer from a rogue DNS server and get poisoned cache. But most smart ISPs won't allow that.
I hate sigs.
Yeah, actually this is *exactly* why I use OpenDNS.
As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22/google-turns-the-page/
So, AC, do you work for Google or Dell? Shame on you in either case for spreading this FUD. If you work for Google, even more shame for violating the "don't be evil" policy. Because this is pretty fucking evil, and trying to convince people not to use OpenDNS because of it is even more evil.
Don't most routers disable wireless control panel access by default as well?
FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.
As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.
I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.
It can't be that hard to remove/ignore.. Or does it hook into other browsers than MSIE as well?
But still, that thing is indeed a little bit disappointing. I'm not sure if OpenDNS has the right to call it spyware though. It seems to fit the definition of adware. But like this, OpenDNS can see everything that's supposed to go to google.com. And IMHO, a truly paranoid person should trust OpenDNS as much as he/she trusts Google... Pot, kettle?
Trojans, I removed some recently on somebodies system, the get it by downloading those fake codecs.
You can fool most people in doing anything these days, it's called social engineering.
All I can find a a bunch of copies of the AP article.
That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't own a Dell nor do I have any Google software installed on my computer. Why again would I want to have my Google searches hijacked by my DNS provider? How is hijacking search results justified in that case?
Why accuse someone of working for Google or Dell when they say they don't want their searches hijacked?
Note, I don't work for Google or Dell or OpenDNS. Actually I just run BIND 9 on my network to do DNS recursion and get the answers from authority nameservers directly. Cut out the middleman and save yourself a lot of trouble if it is such a big deal.
My rogue dhcpd servers ... muhahahaha! thank you ISC...
Getting rid of the Avira nag is much easier than that. Just create a hash rule on the nag exe. I think you can even delete it, but I'm not sure.
The government can't save you.
"I'm glad to hear that it was likely this, rather than a virus, although concerned that someone other than me (with that amount of technical knowledge, my gf is non-technical) was using my computer."
In the google age a solution for a problem like that can be found and used by a non-technical person easily. It's entirely possible that your girlfriend saw the ad, was annoyed, googled it, and found a step-by-step to get rid of it.
Now get off slashdot! You're not allowed to have a girlfriend here! Can you imagine the damage it would do to our stereotypes if it got around that people on slashdot were in relationships!?
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
Ahh! The cache on YOUR dns gets poisoned.
Crist! There's a wikipage out it... ( I digress )
The security rundown on how it happens:
http://www.secureworks.com/research/articles/dns-cache-poisoning/
Step 1 - Attacker sends a large number of quires to the vicum nameserver, all for the sam domain name.
Step 2 - Attacker sedns spoofed replies giving fake answers for the quieris it made.
Get the picture?
Solution: Apply patches to your DNS server. ( i.e. patch your MS Server )
Cert notification:
http://www.kb.cert.org/vuls/id/484649
It seems that the fundamental problem with DNS poisoning is that the token field of DNS packets is too short to prevent a brute-force or birthday attack. The long term solution is definitely a solution involving certificates, but I think that there might be a short-term solution.
Can a DNS request ask for two domains at once? If so, I think that this sort of attack could be blocked without having to upgrade all servers at once.
In addition to your normal request, you could ask for the IP address of "jl39dl9z.bogus.dns". When the reply comes back, it will naturally say that "jl39dl9z.bogus.dns" does not exist. The garbage name would be used as an additional token - that the server replied with it at all shows that the correct DNS server received the packet and replied. An attacker wouldn't be able to guess it.
Am I totally wrong about this? I don't know the actual DNS protocol.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Not only that, they are probibly a bit slow.
You can do a ping to the nameserver to see
how close/fast it is. Some nameservers,
have the ping port closed, so it dosnet work all the time,
and if you would not like a knock on your door...
try to avoid poking around the DoD or DHSs security.
Get a look at WhiteHouse.com!!! Hey.....
You read the DNS book. :P
You can also use other DNS roots:
http://en.wikipedia.org/wiki/Alternative_DNS_root
And this is also a reason Dell doesn't like Linux on consumer desktop PCs; they lose all that recurring ad revenue.
now we need to go OSS in diesel cars
I've read TFA and every comment on this page.
Can somebody actually show me a "rogue" DNS server?
What constitutes a "rogue" dns server? One that doesn't track exactly the US Government root or one that has incorrect addresses for sites for commercial gain (ie paypal, banks etc).
About a decade ago a guy went to prison for redirecting the internic by DNS cache poisoning. It was a big deal. Now I'm suppoed to believe 60,000 people are doing it and it's not in the news?
The half dozen or so ISP's around here, and Hughes sat use a "transparent" web cache proxy. Doesn't matter what dns servers you tell your computer to use, you get the dns your ISP wants you to see, at least for web. Other protocols are unaffected. My understanding it this is quite widespread.
Need Mercedes parts ?
It could be possible that your ISP's DNS could have a bad DNS entry of someone could be performing a "man-in-the-middle" DNS requests sniffing and point your computer to one of "their" DNS servers.
Ok well, is this a public mini-network? maybe someone else with a "bit" of knowledge who was using it got sick of it trying to update?
"why not make it for as many as you can think of?"
Maybe it did, and maybe it checks what is installed, and only adds the necessary ones for that software.
And who knows, maybe you blocked it yourself? maybe AntiVir (if its the "Security Suite") blocked itself? Perhaps a little too trigger happy with the dialogs? or maybe another Firewall that for whatever reason uses your HOSTS file? (which I dont think ive ever seen, but quite a few SpyWare scanners do)...
And as another side note, if AntiVir doesnt protect your HOSTS file, its obviously not that good, considering I think even Norton has gotten that far...
"If you're so concerned about OpenDNS playing around with your information, use this other site! They're trustworthy, I swear!" Not convinced.
Wow - thanks for that.
I've been using opendns for years - It's faster, reliable, and an easy choice.
I had no IDEA they were returning fake queries for google...... that's just nasty, and maybe even illegal.
Use OpenDNS as your DNS server.
Problem solved as long as you ensure your computers continue to use it.
(Disclaimer: I am a happy user of their service)
They use IP Addresses. If you want more manliness (mod up +1 machismo) use MAC addresses.
One ring to bind them - should probably have more fiber and less rings in their diet.
There was an ISP who also hosts websites. A particular website was hosted with them(it was not operational and it pointed to the ISP homepage), and then they transferred to another host. If you used a connection on that particular ISP then It would still redirect to their homepage. They never changed the DNS settings, rather they don't automatically update their DNS server. When Asked they said that they forgot to change it. I pointed out that DNS servers are supposed to be updated automatically. The website owner was not willing to sue them. This was in 2001 at that time I had posted this in a few forums asking if this was illegal, but nobody knew what I was talking about(at least in those forums which was web design related). Well they are closed now. But I feel these rogue servers can be used by ISP and cyber centres. Otherwise I don't see how these rogue servers could affect someone. AAhhh if a virus/malware/spyware could be written to change the DNS server settings in your network properties then these DNS servers could be dangerous. I think this is the only way they can be used.
I've never heard of that being a major problem. Most people today use routers that you can easily password lock as to the DNS server and other settings. And by default those routers are never accessible on from the Internet even with no password. There are plenty of good alternative DNS servers people use for various reasons that are not rogue or evil. You can fix your DNS server settings even while keeping your IP setting DHCP in the Linux and windows OS so they go to the DNS servers of your choice(usually people use their ISP's by default) and do not rely upon. Host.txt if used or hosts can be locked to root. I think windows settings are encrypted and not easily changeable by any virus.
Unfortunately (stupidly), no. In the UK, "wireless broadband" as advertised all over the place = an 802.11b/g router and modem, with possibly a few 10/100 Ethernet ports: you can hit the admin page from a wireless IP as well as a wired, and on mine (SpeedTouch 780), there's no obvious feature to disable it.
In my sample code, change 127.0.0.1 to the IP address of the DNS server you wish to use.