Number of Rogue DNS Servers on the Rise

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

certs too

[OrangeTide]

Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

Re:

[KublaiKhan]

Fascinating idea....and if you've got access to the computer to change the DNS anyway, you could add in an authorization for the false cert agency, too.

Do you have a newsletter? I'd subscribe to it.

Re:

[IamTheRealMike]

You don't need to. Usability studies have shown conclusively that nobody (and I do mean absolutely nobody) will avoid browsing to a site because of an SSL warning. Even software engineers and other computer experts will just click through the dialog. SSL is an absolute failure at avoiding spoofing due to poor UI.

Re:

[OrangeTide]

I get SSL warnings on my own website because I never bothered to pay and just self-sign my certificate. But if I got warnings on my bank's website I might not want to plug in my account info.

Suddenly,

[robo_mojo]

SSL

Re:

[cheater512]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate.

Re:

[Fred_A]

Even SSL fails with this method of attack.
Too many ways to add a new root certificate.

You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Re:

[lintux]

> You'd have to edit the cache so that the new key matches though (because it won't be the same one).

Heck, when you have enough access to a machine to change its DNS settings, you have enough access to flush the cache or to just disable all SSL safety checks.

Simple fix for those running Windows?

[HeliosTrick]

netsh interface ip set dns "Local Area Connection" static 4.2.2.4
netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...

Re:Simple fix for those running Windows?

[TripMaster Monkey]

Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

Re:

[Penguinisto]

Even worse - sometimes an ISP will refuse to tell you what their DNS IP addys actually are.

/P

How can they not?

[davidwr]

If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

Otherwise, I'll have to use someone else's DNS or do without.

Re:

[Penguinisto]

True, but either one of us could find it rather quickly at a terminal/command -prompt.

Most users OTOH fear those things.

/P

Re:

[morgan_greywolf]

Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

What're you talking about? I know exactly what a Dorrito's Nachos Server is. Now if only she would hurry up and bring my plate out here....

Re:Simple fix for those running Windows?

[mlts]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Re:Simple fix for those running Windows?

[rwyoder]

I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

Google "DNSsec".

Re:

[rthille]

I tried, and the Googol page I got back said, "I'm sorry Dave, but you don't need to see that."

Re:

[Bring the Brain]

Really, think about it. That is what the internet is. Zillions of network devices attached. Everybody is vulnrable to any type of attack. Along with this post. Don't you agree that if one person can create rogue DNS servers, they are just as capable as implementing rougue routers. It really comes down to, you just have to trust your ISP and do your homework.

So fake site look more real?

[HartDev]

So will that server have the real URL for a legit site and then be able to fake you out? Also when is this internet 2 that I hear about all the time gonna come out. I like the ideas of a newer, faster, sexier (I dunno how it would be sexier...) internet that has more control over content allowed in and services, etc etc.

Key word is 'modified'

[KublaiKhan]

After all, one must set your computer to use one of those servers.

I can think of a few possible ways to do this--a worm that modifies default-passworded routers, for instance, would be capable of modifying DNS entries at the router level--but is there an easy exploit to do so at the end-user's computer? Or a method of modifying the DNS via a browser window?

Re:

[TripMaster Monkey]

If one has the ability to run malicious code on the target system, it would be pretty easy. I don't know about a browser window, but the DNS setting can be modified easily by a VB script, or trivially easy via the command prompt (one line command).

Re:

[KublaiKhan]

Perhaps DNS settings should be shadowed or otherwise obfuscated...though how that would be done, I'm not quite sure.

Re:Key word is 'modified'

[TripMaster Monkey]

Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

Re:

[KublaiKhan]

That's absolutely brilliant....where'd they host the proxy? Same machine? Or did they host the proxy somewhere themselves?

Re:

[TripMaster Monkey]

They hosted the proxy themselves.

Re:

[TripMaster Monkey]

Well, when I say "host it themselves", I'm pretty sure the proxy machine isn't theirs physically. In all probability, it's another 0wned box, chosen for this role due to its higher specs and fatter pipe. Then, the system can periodically dump the accumulated data to another location (like an obscure newsgroup) for later retrieval.

Re:

[Quadraginta]

Geez, or perhaps user applications like fucking browsers shouldn't run with system-level God privileges.

But that's a whole 'nother (mega)thread...

Huh?

[JK_the_Slacker]

You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

Re:Huh?

[Ambiguous Puzuma]

It probably requires a net hack.

Interesting problem

[roman_mir]

So we have to know exactly which DNS to use then. This is not good, most people don't know and don't care to find out about such things. But a computer has to be infected in the first place for DNS to be spoofed, so as long as there are no infected computers... oh...

Re:

[Fnord666]

What about openDNS [opendns.com]? Do people use their DNS servers, and how up to date are their patches?

Hijack it yourself

[RT Alec]

Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

For PF, it's as simple as:
rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

If you still use IPFilter, use this rule in ipnat.rules:
rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

Re:Hijack it yourself

[drakyri]

If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

Simple alteration

[RT Alec]

In my sample code, change 127.0.0.1 to the IP address of the DNS server you wish to use.

Worrying news FTA

[Waffle Iron]

The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

Sounds like an ISP opportunity

[davidwr]

If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

Useful services to offer:
* net-nanny/thinkofthechildren content blocking
* block known hostile/poisoned sites
* tattletale/reporting
* time-of-day blocking
* login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
* DNS interception/reroute to canonical ISP DNS
* DNS interception/reroute to modified-for-the-customer ISP-provided DNS
* DNS interception blocking DNS to known rogue sites
* much, much more
* Arbitrary, customer-controlled port blocking for inbound and outbound ports

ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

Of course they shouldn't force anyone to use these services if they don't want to.

Re:

[KublaiKhan]

Or simply put it in the terms of service and require such a "service" for their "ultra-safe internet connection"--and incidentally have authorization to do all manner of net neutrality violating things.

Put it in enough marketspeak, and you'd be all set.

Re:

[Klaus_1250]

OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.

Is this about OpenDNS redirecting www.Google.com?

[Anonymous Coward]

Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

Re:Is this about OpenDNS redirecting www.Google.co

[fhic]

Yeah, actually this is *exactly* why I use OpenDNS.

As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22 [opendns.com]

Re:Is this about OpenDNS redirecting www.Google.co

[Niten]

FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

Re:

[lintux]

It can't be that hard to remove/ignore.. Or does it hook into other browsers than MSIE as well?

But still, that thing is indeed a little bit disappointing. I'm not sure if OpenDNS has the right to call it spyware though. It seems to fit the definition of adware. But like this, OpenDNS can see everything that's supposed to go to google.com. And IMHO, a truly paranoid person should trust OpenDNS as much as he/she trusts Google... Pot, kettle?

Re:

[Skapare]

And this is also a reason Dell doesn't like Linux on consumer desktop PCs; they lose all that recurring ad revenue.

Scary stuff... Could even hit OS X easily

[Tibor the Hun]

A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.

What's the best strategy against something like this? Installing apps in ~/Applications vs /Applications ?
Maybe Apple could make that the default behavior, or

Re:

[Firehed]

That's true of any software where you have to authenticate. However, most installations on OS X (the "drag the icon into /Applications ones) don't require authentication since they don't have to make any major file changes. I'm rather weary about software from an untrusted publisher that asks for authentication, which is really the whole point behind not running as root. It could just as easily hit Linux installs of any flavor.

I think the best defense on the part of all OS writers would be to make it so

easy to prevent

[koreanbabykilla]

just block outgoing dns requests from your lan interface, secure your router and make everything on your network use 10.0.0.1 (or whatever) for dns...

DNSSEC provides a solution

[Anonymous Coward]

The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

Re:

[Florian Weimer]

Not really. If the caching resolver isn't trusted, it doesn't matter if it is DNSSEC-aware or not. The clients usually run only stub resolvers and rely on the caching resolver to do the hard work.

And given that the switch to the untrustworthy DNS resolvers typically occurs when the user installs some alleged video codec, it would be easy to add additional DNSSEC trust anchors at this stage, too. For X.509 web server CAs, it has already been demonstrated that this is feasible when Comscore, through its Ma

MOOT!

[Bring the Brain]

Really, think about this. The internet is a zillion of network devices attached. Don't you agree you can create a rogue DNS server just as easy as creating a rouge router. It comes down to how much homework you did when choosing your ISP.

DNS is obviously a failure....

[BuhDuh]

and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

Re:DNS is obviously a failure....

[rewt66]

*cough*ARP poisoning*cough*

Re:

[woolio]

*cough*ARP poisoning*cough*

That's why real geeks know by heart their ISP's

1) Gateway IP address
2) Gateway MAC address
3) Subnet Mask
4) DNS IP address
5) DNS MAC address [if on local subnet]
6) DHCP Server MAC Address

Anything less is just being careless :->

Re:

[lintux]

> We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

You're going to love the day IPv4 gets abandoned in favour of IPv6...

Re:

[Skapare]

We are running out of dot-quads. They have this new supply of colon-hex things, but they are sooooo big.

Re:

[Lennie]

I know your kidding, but I just wanted to point out...

There are not enough IPv4-addresses to host all the websites, most use HTTP-Host-headers-fields (more then one site per IP-address).

So it would not be dot-quads, but IPv6-addresses if we would want to keep all sites online, I wish you luck.

Find'em Kill'em

[Nom du Keyboard]

If you can find them, and count them, why can't you kill them off as well?

Idea for preventing this stuff

[Myria]

It seems that the fundamental problem with DNS poisoning is that the token field of DNS packets is too short to prevent a brute-force or birthday attack. The long term solution is definitely a solution involving certificates, but I think that there might be a short-term solution.

Can a DNS request ask for two domains at once? If so, I think that this sort of attack could be blocked without having to upgrade all servers at once.

In addition to your normal request, you could ask for the IP address of "jl39dl9

read more, submit less

[OrangeTide]

"Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

Re:

[JeanBaptiste]

yes. and I was wondering how they do that. I could go read up on it myself I suppose.

Re:

[TFGeditor]

What the parent said. How would my machine get compromised to use a a poisoned DNS server? Inquiring minds....

Re:

[TripMaster Monkey]

The machine would have to be owned by a previous exploit. Then, all that's necessary is to run a one-line command in command prompt, and then sit back and wait for the sucker^H^H^H^H^H^Hunfortunate victim to visit my malicious web page.

Re:read more, submit less

[Hamstaus]

The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

Re:read more, submit less

[Anonymous Coward]

Easier than you think to use a rogue DNS server. Two words: Open WIFI.

The default networking settings in a computer is to grab IP and DNS settings from the WIFI. This will get the rogue DNS right in.

The way around is to change networking settings to have the DNS to point to a pre-chosen known ISP, but how many are doing that.

Mod Parent Up, Please!

[billstewart]

Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.

That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.

Huh?

[rs79]

I've read TFA and every comment on this page.

Can somebody actually show me a "rogue" DNS server?

What constitutes a "rogue" dns server? One that doesn't track exactly the US Government root or one that has incorrect addresses for sites for commercial gain (ie paypal, banks etc).

About a decade ago a guy went to prison for redirecting the internic by DNS cache poisoning. It was a big deal. Now I'm suppoed to believe 60,000 people are doing it and it's not in the news?

The half dozen or so ISP's around here, and

Re:

[NotBorg]

Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the d

Re:

[NnT042]

I don't know if the situation has improved any in Vista, but as far as XP goes there are a LOT of programs you simply can't use that way. I run as admin constantly, and with a full awareness of how dangerous it is. At least a third of the programs I use, poorly written as they are, try to do things like save configuration files (or saved games) in their installation folder. Unfortunately limited accounts are not allowed write access to Program Files, and there is no getting these boneheads to RTFM and learn

Re:

[TheThiefMaster]

I run as a "Power User" on XP. No permission to install or write to the Windows folder, but can write to Program Files.

Seems a good compromise.

Re:

[TheThiefMaster]

Or you could just make the game's saved-games folder user-writable.

Re:

[FelixGordon]

Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

Re:

[Firehed]

Well you can set the DNS server to use within the OS - the machine just uses the first DNS server it knows about (local first, then router-level, then to your ISP, etc). Presumably, you just get some funky malware that makes the appropriate system changes.

I don't see why they wouldn't go for a poisoned HOSTS file. It's also been done in the past, and would be much harder to spot since so relative few people would think to look there if problems arise. Of course, the disadvantage of that approach is that

Re:

[Beardo the Bearded]

Some anti-* programs (e.g. Spybot) can lock your hosts file.

I imagine that the next version will lock your DNS settings.

Re:

[ehrichweiss]

If a rogue DHCP server is "closer"(faster response time basically) to the target than the real one, it is an almost trivial task to poison their DNS. One could setup a fake AP and then route all traffic to the real AP but only after the DHCP server has had time to do its work. The same can go for wired communication as well, especially since running a DHCP server on a cable network is going to give the rogue server a much quicker response time for the machines in the server's general physical area.

Re:

[OrangeTide]

an exercise left to the reader.

Given the number of Windows zombies out there in the wild I assume rooting a box is old hat now days.

Anyone gotta link to the paper

[hal9000(jr)]

All I can find a a bunch of copies of the AP article.

Real Men Don't Use DNS

[ehaggis]

They use IP Addresses. If you want more manliness (mod up +1 machismo) use MAC addresses.

Re:

[FatdogHaiku]

This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf [umich.edu]
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

Re:

[FishWithAHammer]

Or an open wireless connection that picks up a nasty DNS...

Re:

[empaler]

Doesn't even have to be a nasty DNS if the perp has full control over the connection - could just filter the DNS requests and only inject your own answers when you want to - just monitor port 53 for the stuff you want, like 'paypal.com', and Bob's your uncle.

Re:

[OrangeTide]

anti-virus / security software could one day (maybe it already does) protect your DNS settings and hosts file so that this easy scam cannot be so easy anymore.

Re:

[apdyck]

I don't know how this would happen, but there was a brief time (about 3 days, before the software warned me it needed to update) that my antivirus software update servers were pointed to localhost using my hosts file. This was a bit disconcerting for me, given that there is no way someone should have been able to pull off that hack, without knowing exactly what AV software I use and have access to my hosts file. Funny thing is, it only affected one of the four computers on my network, all of which run the s

Re:if I were to own a rogue DNS server

[KublaiKhan]

With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

Re:

[apdyck]

I understand your point, but this was clearly a targetted attack - no other servers were listed, the only entries in my hosts file were the ones I had inserted and the four AV servers. In addition, I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir. It is primarily unheard of in North America, although it is, hands down, the best AV software I have ever used (or at least since the days of F-Prot for DOS). This is why it baffled me so much. If you were to write a worm to modif

Re:

[KublaiKhan]

Perhaps there's a vulnerability in that particular platform that lends itself to spreading something in particular?

Or perhaps the author of the exploit wishes to spread things in a subtle manner, so as to delay discovery of their malware?

Or maybe someone's after you. Check your tinfoil hat. ;-p

Re:if I were to own a rogue DNS server

[Intron]

Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

Re:

[bendodge]

Getting rid of the Avira nag is much easier than that. Just create a hash rule on the nag exe. I think you can even delete it, but I'm not sure.

Re:

[Jarjarthejedi]

"I'm glad to hear that it was likely this, rather than a virus, although concerned that someone other than me (with that amount of technical knowledge, my gf is non-technical) was using my computer."

In the google age a solution for a problem like that can be found and used by a non-technical person easily. It's entirely possible that your girlfriend saw the ad, was annoyed, googled it, and found a step-by-step to get rid of it.

Now get off slashdot! You're not allowed to have a girlfriend here! Can you imagi

Re:

[Lobster Quadrille]

I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir.

Just a thought, but maybe they know what AV software you use because you posted it on slashdot.

Re:if I were to own a rogue DNS server

[KublaiKhan]

I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

Re:

[TripMaster Monkey]

True. Many normal users worry about securing their systems, but they completely forget about their routers.

Of course, unless they've enabled remote administration, you wouldn't be able to access the router from outside the user's home LAN. That's where hacking the wireless connection comes in. ^_^

Re:

[KublaiKhan]

Do it via the usual means, then--the browser hijack, or the email trojan, or whatever else you'd want to use.

Re:

[Firehed]

The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving. I'm sure you'd be intelligent enough to clear out the router logs, but if someone else manages to get the machines themselves on the network infected with a DNS server attack, that's going to override your own.

Re:

[KublaiKhan]

Once you've got the router infected, you could use your new control over domains to inject other things to infect the machines, I suppose.

Or do it in reverse order, and get the machine first and the router after--so even if they fix their machine, on the next resynchronization they'd be hijacked again.

Re:

[DragonWriter]

The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving.

Don't most routers disable wireless control panel access by default as well?

Waiting for the Worms

[Gary W. Longsine]

Ooooh, you cannot reach me now
Ooooh, no matter how you try
Goodbye, cruel 'Net, it's over
Surf on by.

Sitting in a bunker here behind fire-wall
Waiting for the worms to come.
In perfect isolation here behind fire-wall
Waiting for the worms to come.

We're {waiting to succeed} and going to convene outside Pharmington
Dot Com where we're going to be...

Waiting to infect their PC.
Waiting to read all their e-mail.
Waiting to follow the worms.
Waiting to set up fake bank sites.
Waiting to update the rootkits

It's a tree, not a shrubbery.

[jd]

DNS servers have local records but look elsewhere for authoratitive records for other sites. Authoratitive records still have to come from somewhere, though. If you've more than a few static/public IP addresses, it makes sense to run your own DNS and put the local information into that. Until that information is cached elsewhere, queries placed onto the DNS network will eventually make it onto your DNS server to be resolved.

So far, so nothing much. However, it's the first response to queries that matters,

Re:

[Intron]

Actually, there was just an article on the problem of poisoning DNS responses.

http://it.slashdot.org/article.pl?sid=08/02/10/0136236 [slashdot.org]

Your attack won't work since DNS uses a 16-bit randomized ID on each request and rejects any response with a non-matching key. Of course some DNS servers may not check the key, but Bind does.

Re:

[hal9000(jr)]

For a blind attack, yes. But if you can view the packets on the wire, say in a request, and if you can craft a response and get it to the requester first, you win.

Re:

[Raven42rac]

Your ISP's server could also do a zone transfer from a rogue DNS server and get poisoned cache. But most smart ISPs won't allow that.

Re:

[Yaa 101]

Trojans, I removed some recently on somebodies system, the get it by downloading those fake codecs.

You can fool most people in doing anything these days, it's called social engineering.