Researchers have identified a new trojan that can tamper with a wide array of devices on a local network, an exploit that sends them to impostor websites EVEN IF THEY ARE HARDENED MACHINES THAT ARE FULLY PATCHED OR RUN NON-WINDOWS OPERATING SYSTEMS. [emphasis added]
On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh" wrotd:
It's a simple ruse, once any machine on the LAN gets infected (The same way any machine can get infected with any trojan). That machine, in essence, becomes the DHCP handout device, assuming that DHCP is used on the LAN rather than hardcoding the IPs. During the handout, if the "client" is configured to get everything (DNS hosts, etc.) from that transaction, they then receive the bogus DNS servers, which in the end, supply bogus IPs for the hosts you're looking for. If the "clients" have hardcoded DNS server IPs, then all should work fine, even if the infected machine is handing out the LAN IP addresses... they do have to be within the LAN routing area.
On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh" wrote in :
It is both reliable and accurate. Likewise real. See
That's a good thing, but you are still vulnerable. The attack can be injected from behind your firewall if one of your machines is compromised, which can happen even with a firewall; e.g., through a browser vulnerability or email malware.
If your firewall is properly configured it blocks outgoing DNS requests from anything other than your internal DNS servers. DNS hijacking has been a risk for as long as DNS has existed. If you're serious about security you're already on top of this. Sadly, many sites are not serious enough about it.
On Sat, 6 Dec 2008 07:43:54 -0500, "Bill Kearney" wrote in :
What internal DNS servers? He's probably a home/SOHO user without a DNS server, in which case that advice isn't workable or helpful. And even if he did have a DNS server, it could be hijacked the same way if configured to use DHCP for DNS forwarding.
Some people here are more interested in network security than your vendetta.
Thanks for the heads-up John. I need to think about this for our network. I'd like to keep DHCP if possible, for most users. Since we are on Hughesnet, which takes a lot more control than most ISPs, I believe that no matter what we (or any malware) does, they determine our DNS servers.....but I really should verify that.
On Mon, 8 Dec 2008 10:27:07 -0800 (PST), seaweedsl wrote in :
The most direct solution, as has already been noted, is:
(1) use a hardware firewall device (good idea in any event) configured to only allow outgoing DNS queries from internal DNS server(s), and
(2) configure internal DNS server(s) to (a) resolve IP addresses directly, or (b) forward DNS queries to known good DNS servers (either ISP or 3rd party).
For home users that want to use DHCP in clients rather than hard coding DNS server addresses, that can best be accomplished with a wireless router that:
(a) includes a DNS proxy that can be hard coded as in (2)(b), and (b) blocks direct DNS queries to the Internet from clients; i.e., only allows DNS queries to go to its DNS proxy.
My own recommendation is to make the first external DNS server the ISP (usually close topologically and fast) and the last external DNS server a good 3rd party (e.g., OpenDNS) for reliability.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.