
DNS Changer - wglb
http://www.circleid.com/posts/20120327_dns_changer/
======
wcchandler
I work for a small college -- we actually got a couple letters from the FBI
alerting us that somebody on our network was infected by this. We then had to
some internal sleuthing to hunt down who was participating, and more
importantly, stop it from happening. We also wanted to know if the actions
were intentional.

All the information we could find on this was from 2007-2009. It seemed like
this software was out-of-date and no longer in the wild. So I always wondered
why we were being contacted, especially now.

This write-up was greatly appreciated as it finally shed some light on why
were contacted about it -- and more so, how the FBI were involved.

~~~
freehunter
Same thing happened where I work. We got the notice, checked through our logs,
found that someone on our guest network had the virus in 2010, and was only
connected for less than 10 minutes. They're sending the notices to every C net
that has hit their temporary servers since they set them up.

------
feefie
It's not that I don't care about being uninfected, I just don't know where to
find out about things like DNS Changer and Conficker. I answer all the
requests my system tray makes of me keeping the following up-to-date: Windows
Updates, AVG Anti-Virus Free Edition 2012, Adobe Flash, and Java. I use Chrome
and Firefox that update themselves. Is something else I should be doing? Is
there a web page that has a check list of things I should do regularly, like
1. run windows update, 2. go to <http://dns-ok.us/>, etc. How do I know if I'm
infected by Conficker? I assumed Windows or my AVG Anti-Virus would have told
me.

~~~
nikcub
Stop running Flash and Java, they are the source of most browser
vulnerabilities, which are the source of most malware

Go to chrome://plugins and kill everything

When you need one of the two, run them in a separate (updated) browser in a
separate guest account (fast user switching ftw).

~~~
naner
_When you need one of the two, run them in a separate (updated) browser in a
separate guest account (fast user switching ftw)._

Yeah, nobody is going to do that. Chrome has an option to have 3rd party
plugins blocked by default (click to activate) and Firefox has Flashblock.
That's about as much as you can expect users to do.

~~~
nikcub
> Yeah, nobody is going to do that.

I do. Once you force yourself to do it once or twice it is actually pretty
quick (2 keystrokes), but you rarely need Flash today anyway. There are far
too many web rootkits going around for it to be worth running flash and java
(OSX and windows)

see: [http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-
pa...](http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/)

If you spend any amount of time on the web there is a chance that you have
visited a page running an exploit pack. Their penetration rates are 10-20%.
There is even a chance that you have been exploited right now and don't even
know it.

Any extension that claims to block in Chrome doesn't actually block, since the
extension API doesn't allow that - it is only hiding using CSS or some other
Javascript trick that still leaves the plugins vulnerable. Flashblock for
Firefox also doesn't prevent exploits of vulnerable browser plugins.

All those plugins create a false sense of security

~~~
Dylan16807
The plugin click to enable in chrome is built-in.

And what do you mean flashblock in Firefox doesn't help? If you don't
intentionally activate the plugin it can't hurt you.

~~~
nikcub
the last time I looked at the Flashblock code for Firefox there was a way to
still exploit a flash vuln by slowing the page load down or intercepting
DOMContentInserted

Chrome is _definitely_ vulnerable. They are a few versions away from making
the blocking API non-experimental.

~~~
Dylan16807
Using an extension to block may be vulnerable but the builtin click to
activate is different. No API involved, I can go to youtube with click-to-
activate turned on and it doesn't even spin up a plugin process until I click.

------
justinsb
Why not redirect _all_ DNS requests to the address of an informational HTTP
server, saying "This computer is infected; here is how to fix it..."

I am sure that Geek Squad would pay a substantial amount of money to be listed
as one of the repair options.

The idea that network administrators should have to spend hours hunting down
these people is ridiculous. When/if they find them, they're just going to shut
them off anyway.

If you're relying on the internet for anything important, you probably want to
know that e.g. every key you type is going to some server somewhere.

~~~
pmjordan
The there's a certain fear of ISPs implementing work-arounds articulated in
the article. I'm not surprised - the IP addresses in question can't ever be
reliably reused if some ISPs set up special routes for them. And they will do
exactly that if they suddenly get a flood of complaints about "the internet
not working".

~~~
justinsb
That's a clearer explanation than I was able to parse from the article -
thanks!

It seems to me that the right thing to do is to implement the blanket redirect
centrally. If ISPs want to implement something different for their traffic,
they are free to do so.

The IPs are probably now no good to anyone anyway - they will be in too many
blacklists.

~~~
pmjordan
I'm not trying to put words in Paul Vixie's mouth by the way, so "explanation"
is too strong a word. It's just my interpretation. I'd agree that the article
could go into more detail on why this is a bad thing long term; I'm sure
there's more to it.

------
gst
So without those servers the clients would break and can't resolve DNS
requests. Is this correct?

If it is, I don't understand why to bother at all with keeping them running.
Just stop them. Internet will break for the people affected, they will someone
let "repair" their computer, and you get rid of all the infected clients. This
needs to be done anyway sooner or later. Why defer it?

~~~
spjwebster
"Internet will break for the people affected."

Those people may rely on the Internet for their job, studies or social life,
so you shouldn't be so quick to just pull the plug because they were
unfortunate enough to get infected. To add insult to injury, you would be
forcing them to spend possibly significant amounts of money to get it working
again, something that not everyone has ready access to.

~~~
ghshephard
Well, the "internet" isn't like a land line/electricity. It goes down pretty
consistently where I have lived for the last 10 years (Sunnyvale CA, San Mateo
CA, Redwood City CA) - on both DSL and Cable (SBC, AT&T, Comcast) - sometimes
for 2 to 3 days at a time. Indeed, the frequency with which Comcast's DNS
server stops responding to me has me switching to 8.8.8.8 on a bi-montly basis
(and screwing up all the CDNs at the same time).

Shutting down this rogue DNS server will have little to no serious consequence
on people's lives - it's not like the "internet" is a reliable service. People
who do need reliability, have things like SONET with dual-entrance, multiple
providers, and multiple data centers located in separate disaster zones with
aggressive power redundancy facilities.

~~~
ejdyksen
FYI, Comcast's new generation of DNS servers appear to be much more reliable.
They support IPv6, DNSSec, and don't have ads. Also, they're anycast (like
Google), so the IPs are the same everywhere:

75.75.75.75

75.75.76.76

2001:558:FEED::1

2001:558:FEED::2

<http://dns.comcast.net/>

------
aqme28
I might be a bit uninformed, but what's to stop the hacker from redirecting
<http://dns-ok.us/> to a fraudulent page that says your DNS is okay?

~~~
entropyneur
Being in jail, if I read the article correctly. The "malicious" DNS servers
are currently operated by the good guys.

~~~
aqme28
Well that's a good point, but if a new hacker comes along with a DNS hack,
that site can easily become more harmful than beneficial.

~~~
pmjordan
Yet another reason to try to solve _this_ one out properly as quickly as
possible. But I do find it worrying that e.g. <http://dns-ok.de/> is a non-SSL
site. Furthermore, it shows the German federal government's emblem and the
T-Mobile and Avira logos, presumably to convey trustworthiness. Those logos
are trivially faked, so I'm not sure it's a good idea training users to
associate them with trust.

~~~
sp332
Showing the logos would be illegal without authorization. The companies and
the government are much more likely to get involved over fraud that directly
involves them. So it raises the stakes significantly for any forger.

~~~
pmjordan
Considering the main use of hacked DNS is going to be stealing login info by
redirecting to fraudulent versions of websites, I don't think these criminals
will have a problem forging logos.

------
mcculley
The article talks about ISPs running replacement servers to counter this. It
is not clear, but it sounds like these servers would be intercepting DNS
requests to the formerly bad servers and that is why Vixie is against it being
a long term solution. He suggests that ISPs could intentionally break infected
customers in small batches to get the customers to call for help, but couldn't
such infrastructure be used to detect infected customers and send out
assistance?

~~~
pmjordan
Sending out assistance is expensive. Some customers actively _resist_
assistance.

------
shill
Where have I seen the authors name before? Oh yeah...

$ man crontab

~~~
whimsy
Yeah, Paul Vixie is kind of a badass.
<http://en.wikipedia.org/wiki/Paul_Vixie>

