Fareit trojan pwns punters with devious DNS devilry DNS tricks used by the Fareit trojan mean users are tricked into downloading malware, seemingly from Google or Facebook The latest variants of Fareit are infecting systems via malicious DNS servers, Finnish security firm F-Secure warns. These servers push bogus Flash updates that actually come packed with malicious code, as a …
Never got the "remove Flash" fuss, because such a lot of stuff demands it in everyday use (and if you browse without Flash, Java, video plugins, etc. then the web is a boring and horrible place).
But why people do NOT use the Click-To-Play functionality for all plugins, I've never worked out. Hell, it's been in Opera for YEARS and now virtually every other browser has caught up.
Then if you don't click, the plugins can't load. If you need them, it's one click and ONLY the one you want will load. It doesn't get much simpler.
Can you really trust a web site to tell you that your DNS settings haven't been hijacked, when to get to that web site, you need to use those same DNS settings?
If my DNS server settings have been changed to point to rogue servers, what's to stop the bad DNS servers pointing me to one of their own servers that then gives me an F-Secure look-alike page, telling me that my settings haven't been hijacked?
It seems to me that it's direct IP address or nothing for something like this. A domain name simply can't be trusted to provide the truth.
Exactly.
There's a few reasons why, when I deploy a web proxy in a workplace, it sits as a bridge and transparently proxies all web AND DNS to only its proxy server or a preferred DNS server.
This way, such things cannot be messed with. Even if you change your client DNS or decide to use OpenDNS or WHATEVER you decide to do, web access (and, optionally, all DNS access) is automatically caught at the default gateway and redirected to a filter that makes sure it ONLY goes to the authorised server.
I've had similar setups in several schools now. Doesn't matter what you do to your device to change the DNS servers you're trying to use, you end up using the ones I set and no others. Doesn't matter what tricks you try, if you go out on port 80 or 443 to ANYWHERE, I know about it, can record it, modify it (not without SSL noticing or trusted client certificates, of course), and block it.
And this is just another reason for DNSSEC.
You probably already have to do DNS proxy anyway if you're a commercial place with VLAN's, so why not just ensure that all DNS is proxied only to your internal servers, and that your internal servers are only allowed DNS out from them to their chosen DNS servers.
Seriously, you don't want to allow someone to forge DNS on your networks, especially if TLS etc. are dependent on DNS being authoritative. In my opinion, nowadays that's worse than a bucket of rogue DHCP servers... at least the tools to just block those from ever working are in every managed switch.
What do VLANs have to do with proxying DNS traffic? External DNS servers work just fine no matter how you have the network carved up, even with multiple layers of NAT. Provided you machines can route out to a DNS server and there isn't a firewall in the way.
If you mean setting up an intermediary DNS, that isn't the same thing as a proxy...
And even then, you can't even trust those. It'd be trivial for someone to start advertising the AS number for F-Secure's IPs... Assuming the upstream ISP allows BGP packets, but then an attacker would just have to infect a machine in the DMZ of a sufficiently large company or hosting provider. SO long as that infected machine is closer (in router hops) than f-secure, your packets would be heading to the attacker.
They really need to fix BGP...
The latest variants of Fareit are infecting systems via malicious DNS servers, Finnish security firm F-Secure warns.
These servers push bogus Flash updates that actually come packed with malicious code
Now, that's not exactly true is it?
The malicious DNS server is ensuring that your query for facebook.com resolves to a malicious webserver. The DNS server itself isn't pushing the bogus flash updates, that's the job of the malicious web server (which may or may not be the same physical box).
The means of payload delivery has nothing to do with DNS, DNS is simply being used to get browsers to the server that worries about that delivery.
What's happened to El Reg lately?
Another link for the DNS checker program is https://www.f-secure.com/en/web/labs_global/dns-check.
This has, for me, two advantages over the one in the article: firstly it is explicitly on the F-Secure domain; and secondly the F-Secure certificate is owned by F-Secure and verified by Verizon, whereas the ismydnshijacked.com certificate is owned anonymously and verified by GoDaddy. It's a comfort thing.
I actually had a customer whose router had been hacked to do just this last year. Fortunately it was done crudely so it was easy to spot, but a tool which checks subtler hijacks looks like a useful addition to the toolbox.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
