Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - New DNS modifying malcode InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New DNS modifying malcode

Published: 2005-11-03
Last Updated: 2005-11-03 21:27:43 UTC
by Dan Goldberg (Version: 1)
0 comment(s)
Imagine a malware specimen that modifies your DNS server settings and then disappears. After which all DNS queries from your machine are now sent to a malicious DNS server instead of your chosen server. A DNS server that is under the control of someone who wants to steal something from you? That is exactly what was reported to us today by Dan Hubbard at Websense. A full report is available here.
It is likely that this is just the beginning. Today's target is paypal tomorrows could be anything.

Changing a hosts DNS server is more powerful and flexible than modifying its host file. It is possible for the "attacker" to then make any DNS entry they want and never have to visit the target host again, providing a central place to work on all the "attackers" compromised hosts.

One strategy to thwart this is to run internal DNS servers and limit outbound UDP port 53 traffic to only hosts  that need it and then only to trusted DNS server addresses such as you ISPs DNS servers (if you trust them).

Of course the executable that generates this is currenly being circulated by email supposedly from PayPal. I expect this to change soon and show up in copycat format on other emails and over web delivery also.

Dan Goldberg
MADJiC Consulting, Inc
dan at madjic dot net

Keywords:
0 comment(s)
Diary Archives