Prev: Security. WPA?/-TKIP /-CCMP
Next: Using a Belkin F5D7230-4 as a n access point with a D-Link Router
From: John Navas on 5 Dec 2008 19:34
<http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/>

Researchers have identified a new trojan that can tamper with a wide
array of devices on a local network, an exploit that sends them to
impostor websites EVEN IF THEY ARE HARDENED MACHINES THAT ARE FULLY
PATCHED OR RUN NON-WINDOWS OPERATING SYSTEMS. [emphasis added]

[MORE]
From: Lloyd E. Sponenburgh on 5 Dec 2008 20:45
John Navas <spamfilter1(a)navasgroup.com> fired this volley in
news:61ijj4t7o7armjspdfkocj87dgr0p7lai9(a)4ax.com:

> http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/

John, how reliable and accurate is that account?

We live behind a firewall appliance, but I wonder what vulnerability we
might still have?

LLoyd
From: Froggie the Gremlin on 5 Dec 2008 21:25
On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh"
<lloydspinsidemindspring.com> wrotd:

>John Navas <spamfilter1(a)navasgroup.com> fired this volley in
>news:61ijj4t7o7armjspdfkocj87dgr0p7lai9(a)4ax.com:
>
>> http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/
>
>John, how reliable and accurate is that account?
>
>We live behind a firewall appliance, but I wonder what vulnerability we
>might still have?

It's a simple ruse, once any machine on the LAN gets infected (The same way
any machine can get infected with any trojan). That machine, in essence,
becomes the DHCP handout device, assuming that DHCP is used on the LAN
rather than hardcoding the IPs. During the handout, if the "client" is
configured to get everything (DNS hosts, etc.) from that transaction, they
then receive the bogus DNS servers, which in the end, supply bogus IPs for
the hosts you're looking for. If the "clients" have hardcoded DNS server
IPs, then all should work fine, even if the infected machine is handing out
the LAN IP addresses... they do have to be within the LAN routing area.

---<ribbit>

From: John Navas on 5 Dec 2008 21:37
On Fri, 05 Dec 2008 19:45:19 -0600, "Lloyd E. Sponenburgh"
<lloydspinsidemindspring.com> wrote in
<Xns9B6BD326634D2lloydspmindspringcom(a)216.168.3.70>:

>John Navas <spamfilter1(a)navasgroup.com> fired this volley in
>news:61ijj4t7o7armjspdfkocj87dgr0p7lai9(a)4ax.com:
>
>> http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/
>
>John, how reliable and accurate is that account?

It is both reliable and accurate. Likewise real. See
<http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/>
<http://isc.sans.org/diary.html?storyid=5434>

>We live behind a firewall appliance, but I wonder what vulnerability we
>might still have?

That's a good thing, but you are still vulnerable. The attack can be
injected from behind your firewall if one of your machines is
compromised, which can happen even with a firewall; e.g., through a
browser vulnerability or email malware.
--
Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Bill Kearney on 6 Dec 2008 07:43

>>We live behind a firewall appliance, but I wonder what vulnerability we
>>might still have?

If your firewall is properly configured it blocks outgoing DNS requests from
anything other than your internal DNS servers. DNS hijacking has been a
risk for as long as DNS has existed. If you're serious about security
you're already on top of this. Sadly, many sites are not serious enough
about it.

 |  Next  |  Last
Pages: 1 2 3 4
Prev: Security. WPA?/-TKIP /-CCMP
Next: Using a Belkin F5D7230-4 as a n access point with a D-Link Router