NEWS: New trojan in mass DNS hijack

Researchers have identified a new trojan that can tamper with a wide array of devices on a local network, an exploit that sends them to impostor websites EVEN IF THEY ARE HARDENED MACHINES THAT ARE FULLY PATCHED OR RUN NON-WINDOWS OPERATING SYSTEMS. [emphasis added]

[MORE]
Reply to
John Navas
Loading thread data ...

John Navas fired this volley in news: snipped-for-privacy@4ax.com:

John, how reliable and accurate is that account?

We live behind a firewall appliance, but I wonder what vulnerability we might still have?

LLoyd

Reply to
Lloyd E. Sponenburgh

On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh" wrotd:

It's a simple ruse, once any machine on the LAN gets infected (The same way any machine can get infected with any trojan). That machine, in essence, becomes the DHCP handout device, assuming that DHCP is used on the LAN rather than hardcoding the IPs. During the handout, if the "client" is configured to get everything (DNS hosts, etc.) from that transaction, they then receive the bogus DNS servers, which in the end, supply bogus IPs for the hosts you're looking for. If the "clients" have hardcoded DNS server IPs, then all should work fine, even if the infected machine is handing out the LAN IP addresses... they do have to be within the LAN routing area.

Reply to
Froggie the Gremlin

On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh" wrote in :

It is both reliable and accurate. Likewise real. See

That's a good thing, but you are still vulnerable. The attack can be injected from behind your firewall if one of your machines is compromised, which can happen even with a firewall; e.g., through a browser vulnerability or email malware.

Reply to
John Navas

If your firewall is properly configured it blocks outgoing DNS requests from anything other than your internal DNS servers. DNS hijacking has been a risk for as long as DNS has existed. If you're serious about security you're already on top of this. Sadly, many sites are not serious enough about it.

Reply to
Bill Kearney

On Sat, 6 Dec 2008 07:43:54 -0500, "Bill Kearney" wrote in :

What internal DNS servers? He's probably a home/SOHO user without a DNS server, in which case that advice isn't workable or helpful. And even if he did have a DNS server, it could be hijacked the same way if configured to use DHCP for DNS forwarding.

Reply to
John Navas

John Navas fired this volley in news: snipped-for-privacy@4ax.com:

No, John. We have a Watchguard Firebox Edge with current updates.

LLoyd

Reply to
Lloyd E. Sponenburgh

On Sat, 06 Dec 2008 11:01:48 -0600, "Lloyd E. Sponenburgh" wrote in :

I stand corrected. And you've configured it to only allow DNS queries from internal DNS servers, which don't use forwarding by DHCP?

Reply to
John Navas

John Navas fired this volley in news: snipped-for-privacy@4ax.com:

I wouldn't know - I didn't set it up - but I can check.

That's why I asked about the vulnerability in the first place.

LLoyd

Reply to
Lloyd E. Sponenburgh

Well, proof again of how Navas usually (always?) gets it wrong.

Reply to
Bill Kearney

On Sun, 7 Dec 2008 06:43:00 -0500, "Bill Kearney" wrote in :

Well, proof again of how childish you usually (always?) are.

Reply to
John Navas

What irony.

Reply to
News

On Sun, 07 Dec 2008 15:23:27 -0500, News wrote in :

Well put. Have you nothing meaningful or constructive to say?

Reply to
John Navas

Yes John, he does. He's yet another person to notice what an ass you make of yourself.

Reply to
Bill Kearney

On Sun, 7 Dec 2008 18:28:58 -0500, "Bill Kearney" wrote in :

Here's a tip: When you behave like an 8 year old, it diminishes the credibility of what you say.

Reply to
John Navas

Heal thyself.

Reply to
News

Some people here are more interested in network security than your vendetta.

Thanks for the heads-up John. I need to think about this for our network. I'd like to keep DHCP if possible, for most users. Since we are on Hughesnet, which takes a lot more control than most ISPs, I believe that no matter what we (or any malware) does, they determine our DNS servers.....but I really should verify that.

Steve

Reply to
seaweedsl

On Mon, 08 Dec 2008 12:32:41 -0500, News wrote in :

Go for it.

Reply to
John Navas

On Mon, 8 Dec 2008 10:27:07 -0800 (PST), seaweedsl wrote in :

The most direct solution, as has already been noted, is:

(1) use a hardware firewall device (good idea in any event) configured to only allow outgoing DNS queries from internal DNS server(s), and

(2) configure internal DNS server(s) to (a) resolve IP addresses directly, or (b) forward DNS queries to known good DNS servers (either ISP or 3rd party).

For home users that want to use DHCP in clients rather than hard coding DNS server addresses, that can best be accomplished with a wireless router that:

(a) includes a DNS proxy that can be hard coded as in (2)(b), and (b) blocks direct DNS queries to the Internet from clients; i.e., only allows DNS queries to go to its DNS proxy.

My own recommendation is to make the first external DNS server the ISP (usually close topologically and fast) and the last external DNS server a good 3rd party (e.g., OpenDNS) for reliability.

Reply to
John Navas

Then your own credibility is questionable.

To be fair, I don't think you act like an 8 year old. I think you act like a bratty 12 year old who thinks he knows everything.

Reply to
bob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.