RSS feed reader

98 Guy wrote in :

There was some malware circulating about a year ago that changed the DNS
settings in people's routers and on their computers so that the DNS
IP-address pointed to IP addresses controlled by hackers or
botnet-owners. The hackers operated their own servers DNS at those IP
addresses that performed god-knows-what in terms of messing up those
systems that connected to them during DNS queries.


That's it. I forgot that (not long awake yet). I guess with their own servers
all they had to do was change the DNS server reference in the remote machine.
Considering it's such a small but immensely powerful change, I'm surprised
this wasn't wildly exploited (and fixed) a decade ago, instead of appearing
as 'news' now..

98 Guy wrote in :

They became reluctant to turn off the surrogate servers after learning
that some of the comprimized systems using them belonged to fortune-500
companies as well as .gov and .mil domains, and that too many
"important" users would be disrupted by essentially having no working
DNS functionality if they took the surrogate servers off-line.


I bet that rabbit hole goes deeper too. People don't usually cling to a
situation like this unless they were somehow getting covert benefits out of
it themselves.

Lostgallifreyan wrote in
:

X in iZotope

*sigh*... No W either apparently, as in: I don't think W98 applies.

Lostgallifreyan wrote:

I'm surprised this wasn't wildly exploited (and fixed) a decade
ago, instead of appearing as 'news' now..

You can't fix something like this.

If you have equipment that allows the user to change their machine's
DNS-server setting, then any malware that is sufficiently "smart" can
programatically make the same change. All you need is a vulnerability
entry-point to allow the malware to get onto the system - and as we know
there have been hundreds if not thousands of vulnerabilities discovered
on all manner of electronic devices that have been leveraged over the
years to perform various malicious tasks...

Lostgallifreyan wrote:

too many "important" users would be disrupted by essentially
having no working DNS functionality if they took the surrogate
servers off-line.

I bet that rabbit hole goes deeper too. People don't usually
cling to a situation like this unless they were somehow getting
covert benefits out of it themselves.

Not sure what you mean by that.

The "white-hats" operating the surrogate servers are well known, and
they have no interest to do anything other than try to support the
affected systems as best they can.

There have been other situations in the past where white-hats have taken
control of C&C (comand and control) servers and instructed them to send
commands to infected systems to "deactivate" or disable the malicious
software running on those systems.

Anyone running a white-hat operation that uses their position and their
equipment to steal information or to otherwise "harm" the systems
they're ostensibly trying to help would cause quite a stink and would be
immediately discoverable by the considerably-knowledgable anti-malware
community.

98 Guy wrote in :

If you have equipment that allows the user to change their machine's
DNS-server setting, then any malware that is sufficiently "smart" can
programatically make the same change.

True, but that means the OS could have shown the user what was there.
Anything can be hijacked once SOMEthing is hijacked, given coding ability for
it, but this is one of those things that may have worsened as a result of M$
patting user's heads and telling them not to worry, while hiding the core
details from them. The resulting lack of willing and easy vigilance is the
main reason people get exploited. Same logic as applies to window locks, most
burglaries apparently being made easy by poor vigilance and home security.

I have a couple of places where I can set a DNS reference. One secure method
immediately suggests itself if a router exists. Set the computer to always go
to the router's IP, then set the router to point to the external DNS servers.
That way the user only needs to know the DNS points to the router (though I
guess eben that can be spoofed by malware), but so long as it works, the
attacker then has to hack the router, which is a lot harder to do.

98 Guy wrote in :

I bet that rabbit hole goes deeper too. People don't usually
cling to a situation like this unless they were somehow getting
covert benefits out of it themselves.

Not sure what you mean by that.


Nothing specific. It was more of a commentary on the nature of recent events,
like phone hacking and bank fraud and political complicity. In all these
cases, every inquiry seems to unearth yet more weird creatures under the
stones. Given that any life that gains power does so by exploiting unusual
situations effectively, I'm assuming that any persistently unusual situation
is maintained by something trying to live off it.

98 Guy wrote in :

Anyone running a white-hat operation that uses their position and their
equipment to steal information or to otherwise "harm" the systems
they're ostensibly trying to help would cause quite a stink and would be
immediately discoverable by the considerably-knowledgable anti-malware
community.



True, though as with many complex dances of power, there have been effective
double agents. Life even at its most basic level uses mimicry as a device. I
would be surprised if the net wasn't emulating other things in life,
especially as living people are struggling to control it.

Lostgallifreyan wrote:

If you have equipment that allows the user to change their
machine's DNS-server setting, then any malware that is
sufficiently "smart" can programatically make the same change.

True, but that means the OS could have shown the user what was
there.

Any OS that is constantly showing the user instances where changes were
being made, the OS would tie itself up in knots and the user would be
pulling out his hair.

In the case where the DNS change was made in the router, the OS would
have no direct knowledge of that.

Many routers are now performing DNS relaying. When they hand out DHCP
information, they don't explicitly tell the clients what the real DNS
server is. DNS relaying is a stupid, bone-head thing for a router to be
doing, but some jack-asses thought that's how routers should now
operate.

One secure method immediately suggests itself if a router exists.
Set the computer to always go to the router's IP, then set the
router to point to the external DNS servers.

That is DNS relaying, and it's just plain stupid.

Because unless you're always accessing your router's administrative
settings via http (and how many people do that) - then you'll never know
if some malware went in and changed the DNS settings in the router.

That way the user only needs to know the DNS points to the router

The vast, vast majority of people don't even know what a router is.

You're not thinking properly of the typical use-case situation here.

98 Guy wrote in :

Any OS that is constantly showing the user instances where changes were
being made, the OS would tie itself up in knots and the user would be
pulling out his hair.


It would only need to alert if some change were attempted. It could be part
of any AV, anti-trojan, etc. It's security would be no better or worse than
the host program. There are many small monitors in many systems, so the more
paranoid users could have a couple that did this, and so long as neither
shouted, and both agreed when examined, it would keep many users both safe
and happy.

It's a very small thing to watch, the overheads could be smaller than those
of an idle task scheduler.