DNSChanger ...

[McBie]

Article below provides some good information on the DNSChanger malware that has been going around for quite some time.
( Also have a look at the .pdf file )

http://isc.sans.edu/diary.html?storyid=11986

It might help people do a bit of troubleshooting themselves before seeking more in-depth advice.

Taking a step back on this technique of DNS poisoning, it won't' be long before DNSChanger v2 ( or whatever it will be called ) will hit the streets.
How might this impact you and why should you be vigilant ....
If you connect to your bank for financial transactions, the bank will know who you are due to you credentials and authentication mechanisms, but .. how do you know you are communicating with your bank ? ( and not with some bogus web server on the first floor of a chinese restaurant )

Hope it is useful.

Cheers ... McBie

 

[blairtechguy]

Configuring DNS is one of the most overlooked preventative security measures. I see it all the time fixing Windows machines (which are much more problematic) where DNS is automatically assigned. I recommend using either below:

OpenDNS: 208.67.222.222, 208.67.220.220
Google Public DNS: 8.8.8.8, 8.8.4.4

 

[vansmith]

There is nothing wrong with automatic DNS assignment. Beyond that, manually setting DNS servers doesn't preclude your settings from being changed. Although I use OpenDNS, there is nothing to stop a malicious piece of software from changing it. The only real preventative measure is to stay away from content that is frequently the source of these problems (pirated content for example).

 

[blairtechguy]

I'll just put this here.

DNS hijacking - Wikipedia, the free encyclopedia

Also http://en.wikipedia.org/wiki/DNS_rebinding.

The latter is very intriguing I've read some articles and seen it run as a POC. But like you said it comes down to the users discretion on what they are doing while connected to the internet.

 

[vansmith]

I fail to see how that precludes a trojan (or any piece of software) from changing manually assigned DNS servers. If you have a trojan on your Mac, what's to stop it from changing any value to put in yourself? In fact, here's an article about using scutil to change DNS servers from the command line. All a trojan has to do is use scutil behind the scenes to change the DNS servers.

So yes, a trojan may be able to hijack automatically assigned DNS servers but it could just as easily change manually inputted ones. You're therefore no safer with manually entries. Again, the only way to prevent any of this is to stay away from content that would cause this problem in the first place.

EDIT: Here's an even easier tool included with OS X to get the job done.

~ :: networksetup -getdnsservers "Wi-Fi"
208.67.222.222
208.67.220.220
~ :: networksetup -setdnsservers "Wi-Fi" 8.8.8.8 8.8.4.4
~ :: networksetup -getdnsservers "Wi-Fi"
8.8.8.8
8.8.4.4

That was easy.

 

[blairtechguy]

Would still need a super user/admin password. You did this logged into an administrative account. Try doing this with a standard user account . Like you said it comes down to the user who is the biggest security threat to a system.

in man networksetup

The networksetup command is used to configure network settings typically configured in the System Preferences application. The networksetup command requires at least "admin" privileges to run. Most of the set commands require "root" privileges to run.

 

[vansmith]

Most people, I would bet, run as an administrator (sometime perhaps unknowingly) especially when you consider that the "default" account has admin privileges. Since you don't actually need superuser privileges to use networksetup to change DNS settings, the possibility is there.

Yes, I think we can agree that the best protection against this kind of problem is user knowledge (as is the case for 95% of preventative measures).

 

[BrianLachoreVPI]

FBI tackles DNSChanger malware scam | MacFixIt - CNET Reviews