New Man-in-the-Middle attacks leveraging rogue DNS

Discussion in 'malware problems & news' started by Rasheed187, Mar 26, 2014.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Technically no, but HIPS will prevent the malware from installing in the first place so you should be ok. Once malware is on your system you're pretty screwed.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    So this stuff can´t be stopped by protecting the registry and file system, for example? o_O
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    I'm pretty sure HIPS would prevent it from making the required changes to your PC in the first place.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Can't say without more knowledge of how the attack works...

    If the embedded binary is invoked with CreateProcess, CreateProcessEx, then a HIPS will probably block it. Likewise for library loading system calls, if the HIPS is configured securely.

    If on the other hand the malicious code runs in the word processor's memory space, without invoking one of those system calls, then it's down to restrictions on other system calls, including filesystem and registry access. In that case you would hope it doesn't try to escalate privileges first thing. But on the other hand, if it uses a memory exploit to get off the ground, then EMET would probably block it.

    If on the other hand it is one of those long chains of self-extracting packed executables, a HIPS will probably block it (or at least make a lot of noise).

    But in any case this doesn't strike me as particularly threatening, since the vector involves opening a spam attachment. :p
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's quite a few more variables involved. Several HIPS can also monitor specific keys in the registry. The DNS settings may or may not be on its default list. With SSM pro for example, you can add any keys you want to the coverage.

    Such an attack could also be defeated at the firewall by creating IP specific rules for DNS. If the PC tries to use another IP, the firewall blocks it.

    To my knowledge, any decent HIPS should prevent the initial execution of the changer. If that fails, registry protection should prevent the change as the settings are stored in the registry. If that is also bypassed, a properly set firewall should block the altered DNS. That's layered security. Multiple points at which the attack can be defeated.
     
    Last edited: Mar 26, 2014
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes, that´s what I was thinking also, I wonder if current HIPS are monitoring DNS settings? :rolleyes:

    But now that I think of it, a specialized tool like Trusteer Rapport should probably be able to stop this specific attack.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:
    Any decent program with whitelisting will block an unauthorized executable program file from launching.

    Five years ago I found an RTF document exploit which contained an executable disquised as a Package Object:

    http://www.urs2.net/rsj/computing/tests/rtf

    ----
    rich
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    @ Rmus and others

    I should have been more clear. Of course anti-exe and anti-exploit will stop this stuff. :)
    But I was talking about the methods that is used by this malware.

    I already figured out that with good old SSM (Win XP), it´s possible to protect DNS settings. Perhaps y'all can check out others HIPS on Win 7/8, you can test it with DNS Angel.

    I´m not sure where root certificates (Certificate Authority) are stored in Windows? I suppose it´s in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\, at least on Win XP.
     
Loading...
Thread Status:
Not open for further replies.