Where's the instructions for a Linux box?
World's stealthiest rootkit pushes DNS hijacking trojan
One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said. Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell …
-
Tuesday 15th November 2011 00:06 GMT Anonymous Coward
What I find funny is that apparently security update MS10-015 caused PC's infected with this rootkit (earlier version) to crash so Microsoft changed the update so it wouldn't install on infected machines. The rootkit author then updated his software to fix the bug that MS10-015 exposed and everybody was happy again.
It just goes to show that Microsoft can work with 3rd party developers to improve the users experience.
-
Tuesday 15th November 2011 06:46 GMT Anonymous Coward
Why is the author mentioning the MAc OS X infection here ?
In all honesty, I tried to find a serious virus analysis specific to non-Windows computers and I couldn't find one. In case OS X is vulnerable, I'm just curious to learn a few things about the mechanisms the virus uses because I strongly doubt injecting Windows 64-bit drivers would work on an Apple machine.
I would appreciate if someone could point me to such info.
-
Tuesday 15th November 2011 11:54 GMT Tchou
Enjoy
What about OSX security issues? Its drivers, system files, font types, and all are just as targetable as anything else.
Some of Apple products security issues are listed here (1466 vulneranilities):
http://secunia.com/advisories/search/?search=Apple
And Microsoft ones are here (1313 vulnerabilities):
http://secunia.com/advisories/search/?search=Microsoft
No big number difference as you can see....
-
-
Tuesday 15th November 2011 11:54 GMT Pete 39
Update Coming
I wouldn't rely on IPCONFIG /all for too much longer. The rootkit could be updated to catch all calls for the DNS settings, and then to return the values that were there before it changed the ones the TCP/IP stack uses.
It might be necessary to watch the actual traffic on the 'wire'.
Even then if a local but hidden host table has been modified you wouldn't know.
-
Tuesday 15th November 2011 21:02 GMT Crazy Operations Guy
A firewall solution
At work I set up a firewall to block outgoing DNS connections from everything except the two corporate DNS boxes and even then blocked the mentioned IP address ranges for the DNS servers, of course this isn't really necessary as the DNS servers just use root hints and thus only contact the authoritative DNS servers for domains.
Immediately afterwards, we got calls about being unable to connect to the internet and found that a bunch of OS X boxes in the marketing department were infected and traced it to some stupid game they were trying to play.
Amazing what an a couple of Pentium 4 boxes with Firewall software can do, OpenBSD FTW.
-
Monday 28th November 2011 19:02 GMT Anonymous Coward
>"the IP numbers that correspond to domain names"
Just to be technically accurate about it, there aren't any IP numbers corresponding to domain names; they correspond to the names of individual hosts within those domains - some of which may by design have names that match the domains, but that's not necessarily the case, and the IP address still doesn't refer to the domain itself.
(Pedantic Dickweedery™ is a trademark of TDWTF.)