Re: [funsec] Rogue DNS Servers

2007-03-28 Thread Jeff Kell

Fergie wrote:

Researchers of Trend Micro have identified a network of more than 115 rogue
DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS
servers exhibit interesting behavior. 


I get timeouts trying to reference the URL, so I can't get the 
details... but...


If you're talking about the Inhoster hooks, this has been going on for 
months.  DNS clients are hijacked to point to various servers in 
85.255.112.0/20.


Recently (last 48 hours) I've seen enduser queries out of our block 
(excluding our internal recursive servers) directed toward...


 < Dst IP address >  	 < Total # > 
  85.255.112.116   	1420

  85.255.112.1833
  85.255.116.53 1940
  85.255.116.1683



I don't see any other "out of the ordinary" outbound DNS, at least not 
clustered

Jeff
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

[funsec] Rogue DNS Servers

2007-03-28 Thread Fergie
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A couple of colleagues (Feike Hacquebord and Chenghuai Lu) did this
research and published this report.

[snip]

Researchers of Trend Micro have identified a network of more than 115 rogue
DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS
servers exhibit interesting behavior. We found that the DNS servers resolve
most existing domains correctly at the times we queried them. However, for
non-existing domain names, the rogue DNS servers do not return the usual
error message but they instead resolve the domain name to a malicious IP
address.

[snip]

More detail:
http://tmirt.trendmicro.com.ph/blog/2007/03/rogue_dns_servers.html

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFGCwtDq1pz9mNUZTMRAptdAKCvptaczL4/eAZj98b2+41Kq+5I9wCgu5bj
HaxeEF9q8c44eD+VvDoTr6E=
=42GU
-END PGP SIGNATURE-


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.