Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Rogue Domain Name System Servers


Rogue Domain Name System Servers [reposted]
August 17th, 2007 by Trend Micro

Note that this entry was first posted last March 27, 2007.

We've received a very interesting write-up from our associates, Feike 
Hacquebord and Chenghuai Lu, regarding rogue DNS servers. I'm sure you'll find 
the report below quite informative.

Rogue DNS Servers

Researchers of Trend Micro have identified a network of more than 115 rogue DNS 
servers, which are used by DNS-changing Trojans. This article describes threats 
imposed by these rogue DNS servers.


Domain Name System servers resolve human readable domain names to IP addresses 
that are assigned to computer servers on the Internet. Normally, when an 
Internet user types a web address in the address bar of his Internet browser, 
www.google.com for example, a DNS server resolves that domain name to an IP 
address that is hosting the Google webpage. In this way, his computer knows 
where to fetch www.google.com. If a user mistypes the domain, e.g. 
wwe.google.com, the DNS server fails to resolve the domain and the user gets an 
error message.

Most Internet users automatically use the DNS servers of their ISP. 
DNS-changing Trojans silently modify computer settings to use foreign DNS 
servers. These DNS servers are set up by malicious third parties and translate 
certain domains to fallacious IP addresses. As a result, victims are redirected 
to possibly malicious websites without them noticing it. For example, if a user 
wants to view www.google.com, a rogue DNS server may resolve www.google.com to 
an IP address controlled by an unknown third party. If that third party creates 
pages that look exactly like those of Google, the user might think that he is 
browsing Google indeed, without noticing that he is actually visiting a website 
controlled by somebody else than Google. This may cause the user to leak 
sensitive information to third parties.

Network of 115+ rogue DNS servers

Researchers of Trend Micro have identified a network of more than 115 rogue DNS 
servers that are used by a certain variant of TROJ_DNSCHANG [1]. These DNS 
servers exhibit interesting behavior. We found that the DNS servers resolve 
most existing domains correctly at the times we queried them. However, for 
non-existing domain names, the rogue DNS servers do not return the usual error 
message but they instead resolve the domain name to a malicious IP address.

See Figure 1 for an example.

(1) The DNS query result on wwe.google.com from legitimate DNS server

(2) The DNS query result on wwe.google.com from a rogue DNS server

Figure 1. DNS queries on wwe.google.com

We entered "wwe.google.com" in the address bar of an Internet browser that is 
using one of the rogue DNS servers to resolve domain names. We found that 
instead of displaying the usual error message "page not found", it redirected 
us to a website that hosts a rogue adult search engine. See Figure 2.

Figure 2. Result of visiting a non-existent webpage before and after Trojan 

Another interesting thing we found is that the rogue DNS servers hijack some 
known bad domain names that hosted malware or C&C servers. For example, 
www.toolbarpartner.com is an old infamous bad domain of such kind, which is 
currently parked. The rogue DNS servers resolve www.toolbarpartner.com to 
different IP addresses than the authoritative nameservers do. See Figure 3.

Figure 3. DNS queries on www.toolbarpartner.com from infected hosts

Resolving bad domain names differently has the result that other malware, which 
might be present on the victim??????s computer, may work in another way than 
they were originally designed. In particular, a built-in update function that 
polls a website for updates of malware may now generate automated clicks on 
adult webpages (clickfraud) . In our example, attempts to fetch malware updates 
from www.toolbarpartner.com on a computer infected with the DNS-changing Trojan 
we are discussing in this article, result in clicks on adult webpages indeed.

Apparently, the rogue DNS servers are used for click-fraud. The fact that there 
are more than 115 rogue DNS servers that are all identical suggests that there 
are a lot of victims infected with this particular kind of DNS -changing 
malware. The infected computers together form a large network that can generate 
a lot of traffic to any website.

The rogue DNS servers include, but are not limited to these addresses:



 Copyright 2007 Trend Micro Inc. All rights reserved. Legal Notice


Copyright © Lexa Software, 1996-2009.