Number of Rogue DNS Servers on the Rise

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

certs too

[OrangeTide]

Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

Simple fix for those running Windows?

[HeliosTrick]

netsh interface ip set dns "Local Area Connection" static 4.2.2.4
netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...

Re:Simple fix for those running Windows?

[TripMaster+Monkey]

Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

Re:Simple fix for those running Windows?

[mlts]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Re:Simple fix for those running Windows?

[Penguinisto]

Even worse - sometimes an ISP will refuse to tell you what their DNS IP addys actually are.

/P

Re:Simple fix for those running Windows?

[rwyoder]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Google "DNSsec".

read more, submit less

[OrangeTide]

"Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

Re:read more, submit less

[Hamstaus]

The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

Re:read more, submit less

[FelixGordon]

Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

Re:read more, submit less

Easier than you think to use a rogue DNS server. Two words: Open WIFI.

The default networking settings in a computer is to grab IP and DNS settings from the WIFI. This will get the rogue DNS right in.

The way around is to change networking settings to have the DNS to point to a pre-chosen known ISP, but how many are doing that.

Re:read more, submit less

[NotBorg]

Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the differences between an administrator and non-administrator accounts. In addition, the wizard would assist in creating a non-administrator account and migrating the user's files and settings to it.

Call me crazy, but when I installed Linux it was a natural thing from the get go that I shouldn't do everything as root only things that could not be done otherwise. I don't have to worry much that my host file or DNS settings got owned. Lots of things don't get owned. Windows could be made closer to this.

Re:read more, submit less

[NnT042]

I don't know if the situation has improved any in Vista, but as far as XP goes there are a LOT of programs you simply can't use that way. I run as admin constantly, and with a full awareness of how dangerous it is. At least a third of the programs I use, poorly written as they are, try to do things like save configuration files (or saved games) in their installation folder. Unfortunately limited accounts are not allowed write access to Program Files, and there is no getting these boneheads to RTFM and learn what %AppData% is for. So like it or not, I'm Admin.

I tried Vista, and reverted the next day - couldn't stand it. No telling if they've fixed this problem or managed to beat some sense into the developers yet, and I don't know if/when it will be necessary for me to find out.

Re:read more, submit less

[TheThiefMaster]

I run as a "Power User" on XP. No permission to install or write to the Windows folder, but can write to Program Files.

Seems a good compromise.

Huh?

[JK_the_Slacker]

You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

Re:Huh?

[Ambiguous+Puzuma]

It probably requires a net hack.

Hijack it yourself

[RT+Alec]

Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

For PF, it's as simple as:
rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

If you still use IPFilter, use this rule in ipnat.rules:
rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

Re:Hijack it yourself

[drakyri]

If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

Re:if I were to own a rogue DNS server

[KublaiKhan]

I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

Worrying news FTA

[Waffle+Iron]

The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

Sounds like an ISP opportunity

[davidwr]

If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

Useful services to offer:
* net-nanny/thinkofthechildren content blocking
* block known hostile/poisoned sites
* tattletale/reporting
* time-of-day blocking
* login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
* DNS interception/reroute to canonical ISP DNS
* DNS interception/reroute to modified-for-the-customer ISP-provided DNS
* DNS interception blocking DNS to known rogue sites
* much, much more
* Arbitrary, customer-controlled port blocking for inbound and outbound ports

ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

Of course they shouldn't force anyone to use these services if they don't want to.

Re:Sounds like an ISP opportunity

[Klaus_1250]

OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.

Is this about OpenDNS redirecting www.Google.com?

Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

Re:if I were to own a rogue DNS server

[KublaiKhan]

With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

How can they not?

[davidwr]

If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

Otherwise, I'll have to use someone else's DNS or do without.

Waiting for the Worms

[Gary+W.+Longsine]

Ooooh, you cannot reach me now
Ooooh, no matter how you try
Goodbye, cruel 'Net, it's over
Surf on by.

Sitting in a bunker here behind fire-wall
Waiting for the worms to come.
In perfect isolation here behind fire-wall
Waiting for the worms to come.

We're {waiting to succeed} and going to convene outside Pharmington
Dot Com where we're going to be...

Waiting to infect their PC.
Waiting to read all their e-mail.
Waiting to follow the worms.
Waiting to set up fake bank sites.
Waiting to update the rootkits.
Waiting to smash in their windows
And change their config.
Waiting for the final solution
To "clean up" this strain.
Waiting to follow the worms.
Waiting to gather their idents
And pretend to be them.

Waiting for windows based desktops
and laptops and cell phones.
Waiting to follow the worms.

Would you like to see deposits
bank, again, my friend?
All you have to do is follow the worms.
Would you like to send your credit rating
Home to me, my friend?

All you need to do is follow the worms.

Re:Suddenly,

[cheater512]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate.

Re:Key word is 'modified'

[TripMaster+Monkey]

Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

DNSSEC provides a solution

The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

Re:if I were to own a rogue DNS server

[Intron]

Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

Re:Suddenly,

[Fred_A]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate. You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Re:Key word is 'modified'

[TripMaster+Monkey]

Well, when I say "host it themselves", I'm pretty sure the proxy machine isn't theirs physically. In all probability, it's another 0wned box, chosen for this role due to its higher specs and fatter pipe. Then, the system can periodically dump the accumulated data to another location (like an obscure newsgroup) for later retrieval.

DNS is obviously a failure....

[BuhDuh]

and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

Re:DNS is obviously a failure....

[rewt66]

*cough*ARP poisoning*cough*

Re:if I were to own a rogue DNS server

[Lobster+Quadrille]

I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir. Just a thought, but maybe they know what AV software you use because you posted it on slashdot.

Re:Speaking of reading more...

[FatdogHaiku]

This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

Re:Is this about OpenDNS redirecting www.Google.co

[fhic]

Yeah, actually this is *exactly* why I use OpenDNS.

As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22/google-turns-the-page/

So, AC, do you work for Google or Dell? Shame on you in either case for spreading this FUD. If you work for Google, even more shame for violating the "don't be evil" policy. Because this is pretty fucking evil, and trying to convince people not to use OpenDNS because of it is even more evil.

Re:Suddenly,

[lintux]

> You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Heck, when you have enough access to a machine to change its DNS settings, you have enough access to flush the cache or to just disable all SSL safety checks.

Re:Is this about OpenDNS redirecting www.Google.co

[Niten]

FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

Mod Parent Up, Please!

[billstewart]

Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.

That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.