Slashdot Mirror

← Back to Stories (view on slashdot.org)

Number of Rogue DNS Servers on the Rise

Posted by Zonk on from the servers-what-fib dept.

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

27 of 154 comments (clear)

  1. certs too by OrangeTide · · Score: 4, Interesting

    Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

    --
    “Common sense is not so common.” — Voltaire
  2. read more, submit less by OrangeTide · · Score: 4, Informative

    "Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:read more, submit less by Hamstaus · · Score: 5, Informative

      The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

      --
      I moderate "-1, Fool"
    2. Re:read more, submit less by FelixGordon · · Score: 3, Interesting

      Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

      Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

    3. Re:read more, submit less by Anonymous Coward · · Score: 4, Insightful

      Easier than you think to use a rogue DNS server. Two words: Open WIFI.

      The default networking settings in a computer is to grab IP and DNS settings from the WIFI. This will get the rogue DNS right in.

      The way around is to change networking settings to have the DNS to point to a pre-chosen known ISP, but how many are doing that.

    4. Re:read more, submit less by NotBorg · · Score: 3, Interesting

      Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

      Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the differences between an administrator and non-administrator accounts. In addition, the wizard would assist in creating a non-administrator account and migrating the user's files and settings to it.

      Call me crazy, but when I installed Linux it was a natural thing from the get go that I shouldn't do everything as root only things that could not be done otherwise. I don't have to worry much that my host file or DNS settings got owned. Lots of things don't get owned. Windows could be made closer to this.

      --
      I want this account deleted.
  3. Re:Simple fix for those running Windows? by TripMaster+Monkey · · Score: 4, Insightful

    Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  4. Re:Simple fix for those running Windows? by mlts · · Score: 3, Interesting

    I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

    Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

    Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

  5. Huh? by JK_the_Slacker · · Score: 4, Funny

    You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

    --
    I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
    1. Re:Huh? by Ambiguous+Puzuma · · Score: 4, Funny

      It probably requires a net hack.

  6. Hijack it yourself by RT+Alec · · Score: 5, Interesting

    Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

    For PF, it's as simple as:
    rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

    If you still use IPFilter, use this rule in ipnat.rules:
    rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

    1. Re:Hijack it yourself by drakyri · · Score: 3, Informative

      If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

      Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

  7. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 5, Informative

    I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

    Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
  8. Worrying news FTA by Waffle+Iron · · Score: 5, Funny

    The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

    Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

  9. Sounds like an ISP opportunity by davidwr · · Score: 5, Interesting

    If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

    A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

    Useful services to offer:
    * net-nanny/thinkofthechildren content blocking
    * block known hostile/poisoned sites
    * tattletale/reporting
    * time-of-day blocking
    * login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
    * DNS interception/reroute to canonical ISP DNS
    * DNS interception/reroute to modified-for-the-customer ISP-provided DNS
    * DNS interception blocking DNS to known rogue sites
    * much, much more
    * Arbitrary, customer-controlled port blocking for inbound and outbound ports

    ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

    Of course they shouldn't force anyone to use these services if they don't want to.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. Is this about OpenDNS redirecting www.Google.com? by Anonymous Coward · · Score: 5, Interesting

    Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

  11. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 5, Interesting

    With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
  12. Re:Simple fix for those running Windows? by rwyoder · · Score: 5, Interesting

    I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.
    Google "DNSsec".
  13. How can they not? by davidwr · · Score: 3, Insightful

    If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

    Otherwise, I'll have to use someone else's DNS or do without.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 3, Informative

    Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  15. DNSSEC provides a solution by Anonymous Coward · · Score: 5, Informative

    The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

  16. Re:if I were to own a rogue DNS server by Intron · · Score: 3, Informative

    Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

    --
    Intron: the portion of DNA which expresses nothing useful.
  17. DNS is obviously a failure.... by BuhDuh · · Score: 3, Funny

    and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

    --
    Enlightenment? It's just a flush in the pan.
    1. Re:DNS is obviously a failure.... by rewt66 · · Score: 4, Funny

      *cough*ARP poisoning*cough*

  18. Re:Speaking of reading more... by FatdogHaiku · · Score: 3, Informative

    This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
    Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  19. Re:Is this about OpenDNS redirecting www.Google.co by Niten · · Score: 4, Insightful

    FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

    As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

    I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

  20. Mod Parent Up, Please! by billstewart · · Score: 4, Interesting
    Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.


    That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks