Number of Rogue DNS Servers on the Rise

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

certs too

[OrangeTide (124937)]

Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

Simple fix for those running Windows?

[HeliosTrick (825325)]

netsh interface ip set dns "Local Area Connection" static 4.2.2.4
netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...

Re:Simple fix for those running Windows?

[TripMaster Monkey (862126)]

Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

Re:

[Penguinisto (415985)]

Even worse - sometimes an ISP will refuse to tell you what their DNS IP addys actually are.

/P

How can they not?

[davidwr (791652)]

If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

Otherwise, I'll have to use someone else's DNS or do without.

Re:

[Penguinisto (415985)]

True, but either one of us could find it rather quickly at a terminal/command -prompt.

Most users OTOH fear those things.

/P

Re:Simple fix for those running Windows?

[mlts (1038732)]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Re:Simple fix for those running Windows?

[rwyoder (759998)]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Google "DNSsec".

Huh?

[JK_the_Slacker (1175625)]

You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

Re:Huh?

[Ambiguous Puzuma (1134017)]

It probably requires a net hack.

Interesting problem

[roman_mir (125474)]

So we have to know exactly which DNS to use then. This is not good, most people don't know and don't care to find out about such things. But a computer has to be infected in the first place for DNS to be spoofed, so as long as there are no infected computers... oh...

Hijack it yourself

[RT Alec (608475)]

Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

For PF, it's as simple as:
rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

If you still use IPFilter, use this rule in ipnat.rules:
rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

Re:Hijack it yourself

[drakyri (727902)]

If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

Worrying news FTA

[Waffle Iron (339739)]

The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

Sounds like an ISP opportunity

[davidwr (791652)]

If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

Useful services to offer:
* net-nanny/thinkofthechildren content blocking
* block known hostile/poisoned sites
* tattletale/reporting
* time-of-day blocking
* login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
* DNS interception/reroute to canonical ISP DNS
* DNS interception/reroute to modified-for-the-customer ISP-provided DNS
* DNS interception blocking DNS to known rogue sites
* much, much more
* Arbitrary, customer-controlled port blocking for inbound and outbound ports

ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

Of course they shouldn't force anyone to use these services if they don't want to.

Re:

[Klaus_1250 (987230)]

OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.

Is this about OpenDNS redirecting www.Google.com?

[by Anonymous Coward]

Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

Re:Is this about OpenDNS redirecting www.Google.co

[Niten (201835)]

FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

Scary stuff... Could even hit OS X easily

[Tibor the Hun (143056)]

A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.

What's the best strategy against something like this? Installing apps in ~/Applications vs /Applications ?
Maybe Apple could make that the default behavior, or

Re:

[Firehed (942385)]

That's true of any software where you have to authenticate. However, most installations on OS X (the "drag the icon into /Applications ones) don't require authentication since they don't have to make any major file changes. I'm rather weary about software from an untrusted publisher that asks for authentication, which is really the whole point behind not running as root. It could just as easily hit Linux installs of any flavor.

I think the best defense on the part of all OS writers would be to make it so

DNSSEC provides a solution

[by Anonymous Coward]

The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

DNS is obviously a failure....

[BuhDuh (1102769)]

and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

Re:DNS is obviously a failure....

[rewt66 (738525)]

*cough*ARP poisoning*cough*

read more, submit less

[OrangeTide (124937)]

"Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

Re:

[TFGeditor (737839)]

What the parent said. How would my machine get compromised to use a a poisoned DNS server? Inquiring minds....

Re:

[TripMaster Monkey (862126)]

The machine would have to be owned by a previous exploit. Then, all that's necessary is to run a one-line command in command prompt, and then sit back and wait for the sucker^H^H^H^H^H^Hunfortunate victim to visit my malicious web page.

Re:read more, submit less

[Hamstaus (586402)]

The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

Re:read more, submit less

[by Anonymous Coward]

Easier than you think to use a rogue DNS server. Two words: Open WIFI.

The default networking settings in a computer is to grab IP and DNS settings from the WIFI. This will get the rogue DNS right in.

The way around is to change networking settings to have the DNS to point to a pre-chosen known ISP, but how many are doing that.

Mod Parent Up, Please!

[billstewart (78916)]

Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.

That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.

Re:

[NotBorg (829820)]

Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the d

Re:

[TheThiefMaster (992038)]

I run as a "Power User" on XP. No permission to install or write to the Windows folder, but can write to Program Files.

Seems a good compromise.

Re:

[FelixGordon (1132635)]

Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

Re:

[Firehed (942385)]

Well you can set the DNS server to use within the OS - the machine just uses the first DNS server it knows about (local first, then router-level, then to your ISP, etc). Presumably, you just get some funky malware that makes the appropriate system changes.

I don't see why they wouldn't go for a poisoned HOSTS file. It's also been done in the past, and would be much harder to spot since so relative few people would think to look there if problems arise. Of course, the disadvantage of that approach is that

Re:

[Beardo the Bearded (321478)]

Some anti-* programs (e.g. Spybot) can lock your hosts file.

I imagine that the next version will lock your DNS settings.

Re:

[FatdogHaiku (978357)]

This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf [umich.edu]
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

Re:if I were to own a rogue DNS server

[KublaiKhan (522918)]

I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

Re:

[TripMaster Monkey (862126)]

True. Many normal users worry about securing their systems, but they completely forget about their routers.

Of course, unless they've enabled remote administration, you wouldn't be able to access the router from outside the user's home LAN. That's where hacking the wireless connection comes in. ^_^

Re:

[Firehed (942385)]

The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving. I'm sure you'd be intelligent enough to clear out the router logs, but if someone else manages to get the machines themselves on the network infected with a DNS server attack, that's going to override your own.

Waiting for the Worms

[Gary W. Longsine (124661)]

Ooooh, you cannot reach me now
Ooooh, no matter how you try
Goodbye, cruel 'Net, it's over
Surf on by.

Sitting in a bunker here behind fire-wall
Waiting for the worms to come.
In perfect isolation here behind fire-wall
Waiting for the worms to come.

We're {waiting to succeed} and going to convene outside Pharmington
Dot Com where we're going to be...

Waiting to infect their PC.
Waiting to read all their e-mail.
Waiting to follow the worms.
Waiting to set up fake bank sites.
Waiting to update the rootkits

It's a tree, not a shrubbery.

[jd (1658)]

DNS servers have local records but look elsewhere for authoratitive records for other sites. Authoratitive records still have to come from somewhere, though. If you've more than a few static/public IP addresses, it makes sense to run your own DNS and put the local information into that. Until that information is cached elsewhere, queries placed onto the DNS network will eventually make it onto your DNS server to be resolved.

So far, so nothing much. However, it's the first response to queries that matters,

Re:

[Intron (870560)]

Actually, there was just an article on the problem of poisoning DNS responses.

http://it.slashdot.org/article.pl?sid=08/02/10/0136236 [slashdot.org]

Your attack won't work since DNS uses a 16-bit randomized ID on each request and rejects any response with a non-matching key. Of course some DNS servers may not check the key, but Bind does.

Re:if I were to own a rogue DNS server

[KublaiKhan (522918)]

With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

Re:if I were to own a rogue DNS server

[Intron (870560)]

Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

Re:

[TripMaster Monkey (862126)]

If one has the ability to run malicious code on the target system, it would be pretty easy. I don't know about a browser window, but the DNS setting can be modified easily by a VB script, or trivially easy via the command prompt (one line command).

Re:Key word is 'modified'

[TripMaster Monkey (862126)]

Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

Re:

[TripMaster Monkey (862126)]

They hosted the proxy themselves.

Re:

[TripMaster Monkey (862126)]

Well, when I say "host it themselves", I'm pretty sure the proxy machine isn't theirs physically. In all probability, it's another 0wned box, chosen for this role due to its higher specs and fatter pipe. Then, the system can periodically dump the accumulated data to another location (like an obscure newsgroup) for later retrieval.

Re:

[cheater512 (783349)]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate.

Re:

[Fred_A (10934)]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate.

You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Re:

[lintux (125434)]

> You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Heck, when you have enough access to a machine to change its DNS settings, you have enough access to flush the cache or to just disable all SSL safety checks.