-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A couple of colleagues (Feike Hacquebord and Chenghuai Lu) did this research and published this report.
[snip] Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS servers exhibit interesting behavior. We found that the DNS servers resolve most existing domains correctly at the times we queried them. However, for non-existing domain names, the rogue DNS servers do not return the usual error message but they instead resolve the domain name to a malicious IP address. [snip] More detail: http://tmirt.trendmicro.com.ph/blog/2007/03/rogue_dns_servers.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGCwtDq1pz9mNUZTMRAptdAKCvptaczL4/eAZj98b2+41Kq+5I9wCgu5bj HaxeEF9q8c44eD+VvDoTr6E= =42GU -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.