Malware now doing the DNS switcheroo

Discussion in 'privacy general' started by ronjor, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Story
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Another article which is linked in the above article, details the modification of the DNS server registry key, by the Trojan. The key is

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

    This exploit should be easily preventable.

    1) If your firewall rules specify your ISP DNS servers, then any other attempt via port 53 will be blocked.

    2) If on dial-up you specify your DNS servers instead of obtaining automatically, then those entries will over-ride any change made in the Registry.

    http://www.rsjones.net/img/dns_1.gif
    -------------------------------------------------------

    Below, I changed the NameServer to Paypal

    http://www.rsjones.net/img/dns_2.gif
    ---------------------------------------------------------

    On connecting out, the entry reverts back to my ISP

    http://www.rsjones.net/img/dns_3.gif
    --------------------------------------------------------

    3) Any Registry Monitor will flag an unauthorized change to the Registry.

    Of course, the best prevention is not to let trojan install in the first place. :)

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Nov 5, 2005
Loading...
Thread Status:
Not open for further replies.