New DNS trojan taints entire LAN from single box

Airbot

----------------------
VIP
SF Team
Local time
11:18 AM
Messages
18,396
Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems.

Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server on the host machine. From there, other devices using the same LAN are tricked into using a malicious domain name system server, instead of the one set up by the network administrator. The rogue DNS server sends the devices to fraudulent websites that in many cases can be hard to identify as impostors.
more:The Register
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 SP1Core i7 920 (D0) @ 4Ghz, *26c idle *65c full ...12GB DDR3 Corsair Dominator -CMD12GX3M6A1600C...Zotac Geforce GTX 770
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Airbot 2.0
OS
Windows 7 Ultimate x64 SP1
CPU
Core i7 920 (D0) @ 4Ghz, *26c idle *65c full load on air
Motherboard
Asus P6X58D Premium - Sata 6Gb/s - USB 3.0
Memory
12GB DDR3 Corsair Dominator -CMD12GX3M6A1600C8 at 1600MHz
Graphics Card(s)
Zotac Geforce GTX 770
Sound Card
ASUS Xonar D2X
Monitor(s) Displays
1 LG 24" Flatron W2453V-PF 1 Samsung 24" P2450H both 2ms RT
Screen Resolution
1920x1080@60hz
Hard Drives
1 Samsung 250GB 840 Evo SSD
1 OCZ Vertex2 180GB SSD
1 TB Samsung Spinpoint F1 7200RPM 32MB cache
2 500GB WD Caviar Blacks 7200RPM 32MB cache (WD5001AALS)

Pioneer DVD Burner DVR-S18M
PSU
Corsair HX1000W
Case
Cooler Master HAF 932
Cooling
Case Fans *3 230mm, *1 140mm/CPU - *Tuniq Tower 120 Extreme
Keyboard
Logitech Wireless MK700
Mouse
Logitech Wireless MK700
Internet Speed
DL 15 Mbps UL 0.98 Mbps
Antivirus
None
Browser
Firefox Nightly
Other Info
Processor-7.7 *RAM- 7.9 *Graphics-7.9 *Gaming Graphics- 7.9 *SSD- 7.8 W.E.I final score= 7.7
*Phone- LG Nexus 5
This can be prevented with ample security. No bruteforcer is going to get into my router. My hosts file is read only, and really, what are they going to do if they are able to change my DNS?
 

My Computer My Computer

At a glance

Windows 7 x64 7229Intel Core 2 Duo CPU T64004 GBMobile Intel 45 Chipset
Computer Manufacturer/Model Number
Dell Laptop Studio 1537
OS
Windows 7 x64 7229
CPU
Intel Core 2 Duo CPU T6400
Memory
4 GB
Graphics Card(s)
Mobile Intel 45 Chipset
This can be prevented with ample security. No bruteforcer is going to get into my router. My hosts file is read only, and really, what are they going to do if they are able to change my DNS?
A DNS changer 'hijack' will send you to their chosen server ... the computer will then be infected with malware (Bots come to mind here); possibly helping themselves to passwords and critical information on the infected machine. It's not uncommon at all anymore :(
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
This can be prevented with ample security. No bruteforcer is going to get into my router. My hosts file is read only, and really, what are they going to do if they are able to change my DNS?

Well, imagine you type e.g. google.com in the address bar, and instead, it opens 888.com or other malware infecting websites...Even worse, without you knowing, it could just change the DNS to some hidden adv frames and instead of advertisements on the MSN messenger pane, you would have some very nice malicious files saved and doing their nasty job on your machine, probably Bots like Jacee said...

This can be done by assigning you DNS servers which have wrong Name Resolutions.

Although I doubt setting up a whole DHCP server would pass unnoticed...

I had a client's laptop last week with manually assigned DNS entries from malware... pointing to some 83...87..IP address don't remember exactly.
 

My Computer My Computer

At a glance

Windows 7 RC 7100 32bit/64bitIntel Core2Duo E4500 2.20 GHz2x1GB Kinsgston DDR2 800MHzNvidia 8500GT
Computer Manufacturer/Model Number
ENIAC
OS
Windows 7 RC 7100 32bit/64bit
CPU
Intel Core2Duo E4500 2.20 GHz
Motherboard
ASUS P5LD2-X/1333
Memory
2x1GB Kinsgston DDR2 800MHz
Graphics Card(s)
Nvidia 8500GT
Sound Card
Onboard High Definition Audio Device
Monitor(s) Displays
Sony Bravia 42"
Case
LINKW 2222
Cooling
Standard Intel
Keyboard
Some cheap one
Mouse
Microsoft Intellimouse something
Internet Speed
24MBps ADSL
Most likely 85.255.xxx.xx something like that limneos?

Yep.... bad, bad stuff and it isn't getting better.

Sometimes I just want to say, "wipe it all and do a clean install".
smiley_bored.gif
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Back
Top