DNSChanger: One Infection, Lots Of Problems
Tuesday December 16, 2008 at 2:03 pm CST
Posted by Micha Pekrul
The infamous DNSChanger family again got into focus earlier this month, due to the fact that the latest variant is able to inject DHCP “Offer” packets containing rogue DNS server IP addresses into the network traffic. Therefore one infected computer in a network could pose a risk for all the other hosts using DHCP. In this blog entry, we want to outline what risk such network changes would pose.
Rogue DNSChanger servers can typically be found in the range 85.255.112.0/20 of “UkrTeleGroup”, formerly known as “Inhoster”. The oldest malware description in the McAfee Threat Library using these suspicious DNS servers is dated back to 2005 (see DNSChanger.a for more information). Scanning the whole network unveils more than 400 running DNS server instances at the moment. That is, ten percent of the whole IP range consists of nothing other than DNS servers. The whole network is believed to be even bigger, but not all servers in this range are answering to DNS requests at the moment.
A very serious issue with computers using these rogue DNS servers located in the Ukraine is that they resolve a number of security-related domains differently than a benign DNS server would do it. For example, DNSChanger-affected computers could access and surf to ‘www.microsoft.com’ without any changes, but are not able to download the latest updates from ‘download.microsoft.com’.
The 400+ DNS servers resolve the domain name to ‘127.0.0.1′, which just means the computer tries to download the patches from the “localhost” address meaning that the bad guys successfully blocked access to important updates. However other security related domains – including ‘download.mcafee.com’ – are blocked like shown in the following screenshot:
The behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are unlimited. The criminals controlling these servers could also limit their attacks to regional locations or do their business from “dusk till dawn” to stay under the radar.
The good folks at the “Internet Storm Center” have suggested blocking or at least monitoring the entire range several times, starting first early 2006 because of the bad stuff coming out of this space. If you are a home or small business user and don’t want to route into these Ukraine based network, you could simply block access at the router level like shown in the screenshot below. Many popular “Small Office / Home Office” devices feature such an ACL (Access Control List) feature.
Enterprise customers should force all clients within their network to only use the default DNS server(s) and block access to non-trustworthy servers at the gateway level to ensure no one externally controls your DNS. Internet Service Providers could also mitigate the risk for their customers by dropping connections to these rogue DNS servers and additionally force their customers to only use the ISP’s controlled DNS servers.
December 22nd, 2008 at 17:39
[...] DNSChanger: One Infection, Lots Of Problems http://www.avertlabs.com/research/blog/index.php/2008/12/16/dnschanger-one-infection-lots-of-problem... [...]
December 23rd, 2008 at 10:17
[...] DHCP servers http://isc.sans.org/diary.php?storyid=5434 DNSChanger: One Infection, Lots Of Problems http://www.avertlabs.com/research/blog/index.php/2008/12/16/dnschanger-one-infection-lots-of-problem... Digg it Bookmark it Stumble it Float [...]
February 1st, 2009 at 10:41
[...] einem McAfee Bericht von Dezember 2008 wurden mehr als 400 DNS Server im Netzbereich von UkrTeleGroup gefunden. Das bedeutet das mehr als 10% des kompletten IP Bereiches [...]
February 17th, 2009 at 16:28
I want to know about microsoft