[SGVLUG] interesting DNS server redirect story

Dan Buthusiem dan.buthusiem at gmail.com
Fri Apr 20 20:01:27 PDT 2012 

Actually, I have a story about this. For thise who don't want to read the
whole thing, this is why you should always change your default passwords.

I had a user tell me he was getting weird web pages and pop-ups from all of
the computers on his home network. While I was testing from a Linux
netbook, I noticed pages like Google were getting re-directed, too. I
checked his router's config and found that because the router's default
login had never been changed, someone who got access to his network through
a Trojan had managed to reconfigure his network to use rogue DNS servers.
Once I corrected it (and changed the password), everything went back to
normal. The scary thing is that all of the computers just showed the router
as their DNS server, so it would have been impossible to tell had I not
checked the router on a hunch. He had already wiped his two PCs before he
had me check things out, so this turned out to be a tactic that persisted
and evaded extreme anti-malware measures.

Things keep getting more interesting as tech advances.

- Dan

Sent from mobile.
On Apr 20, 2012 7:49 PM, "matti" <mathew_2000 at yahoo.com> wrote:

>
>
> Hi,
>
> Wow, this is actually an interesting story:
>
>
> Summary - Hijackers  compromise windows systems, redirecting them to rogue
> DNS
> servers, and substituting ads ( and who knows what else ) in the
> legitimate websites
> and generate $$ from those ads.
>
> Authorities counter:
>
> Paul Vixie installed clean DNS servers to take place of Rogue DNS Servers
> after authorities
>
> dismantled hijacker ring
>
> ( yes, this is why DNSSEC is good idea ;)
>
>
>
> "Hundreds of thousands may lose Internet in July"
>
>
> http://news.yahoo.com/hundreds-thousands-may-lose-internet-july-181324701--finance.html
>
> ..
> Hackers infected a network of probably more than 570,000 computers
> worldwide. They took advantage of vulnerabilities in the Microsoft Windows
> operating system to install malicious software on the victim computers.
> This turned off antivirus updates and changed the way the computers
> reconcile website addresses behind the scenes on the Internet's domain name
> system.
> The DNS system is a network of servers that translates a web address —
> such as www.ap.org — into the numerical addresses that computers use.
> Victim computers were reprogrammed to use rogue DNS servers owned by the
> attackers. This allowed the attackers to redirect computers to fraudulent
> versions of any website.
> The hackers earned profits from advertisements that appeared on websites
> that victims were tricked into visiting. The scam netted the hackers at
> least $14 million, according to the FBI. It also made thousands of
> computers reliant on the rogue servers for their Internet browsing.
> When the FBI and others arrested six Estonians last November, the agency
> replaced the rogue servers with Vixie's clean ones. Installing and running
> the two substitute servers for eight months is costing the federal
> government about $87,000.
> ..
>
> thanks
> matti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20120420/2790d628/attachment.html

More information about the SGVLUG mailing list