DNSChanger ...

Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
Article below provides some good information on the DNSChanger malware that has been going around for quite some time.
( Also have a look at the .pdf file )

http://isc.sans.edu/diary.html?storyid=11986

It might help people do a bit of troubleshooting themselves before seeking more in-depth advice.

Taking a step back on this technique of DNS poisoning, it won't' be long before DNSChanger v2 ( or whatever it will be called ) will hit the streets.
How might this impact you and why should you be vigilant ....
If you connect to your bank for financial transactions, the bank will know who you are due to you credentials and authentication mechanisms, but .. how do you know you are communicating with your bank ? ( and not with some bogus web server on the first floor of a chinese restaurant )

Hope it is useful.

Cheers ... McBie
 
Joined
Sep 13, 2011
Messages
100
Reaction score
2
Points
18
Location
Kentucky, USA
Your Mac's Specs
Mac Pro 2 x 2.66 Xeon 6gb DDR2 1TB OSX Server
Configuring DNS is one of the most overlooked preventative security measures. I see it all the time fixing Windows machines (which are much more problematic) where DNS is automatically assigned. I recommend using either below:

OpenDNS: 208.67.222.222, 208.67.220.220
Google Public DNS: 8.8.8.8, 8.8.4.4
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,940
Reaction score
574
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
There is nothing wrong with automatic DNS assignment. Beyond that, manually setting DNS servers doesn't preclude your settings from being changed. Although I use OpenDNS, there is nothing to stop a malicious piece of software from changing it. The only real preventative measure is to stay away from content that is frequently the source of these problems (pirated content for example).
 
Joined
Sep 13, 2011
Messages
100
Reaction score
2
Points
18
Location
Kentucky, USA
Your Mac's Specs
Mac Pro 2 x 2.66 Xeon 6gb DDR2 1TB OSX Server

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,940
Reaction score
574
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
I fail to see how that precludes a trojan (or any piece of software) from changing manually assigned DNS servers. If you have a trojan on your Mac, what's to stop it from changing any value to put in yourself? In fact, here's an article about using scutil to change DNS servers from the command line. All a trojan has to do is use scutil behind the scenes to change the DNS servers.

So yes, a trojan may be able to hijack automatically assigned DNS servers but it could just as easily change manually inputted ones. You're therefore no safer with manually entries. Again, the only way to prevent any of this is to stay away from content that would cause this problem in the first place.

EDIT: Here's an even easier tool included with OS X to get the job done.
Code:
~ :: networksetup -getdnsservers "Wi-Fi"
208.67.222.222
208.67.220.220
~ :: networksetup -setdnsservers "Wi-Fi" 8.8.8.8 8.8.4.4
~ :: networksetup -getdnsservers "Wi-Fi"
8.8.8.8
8.8.4.4
That was easy.
 
Joined
Sep 13, 2011
Messages
100
Reaction score
2
Points
18
Location
Kentucky, USA
Your Mac's Specs
Mac Pro 2 x 2.66 Xeon 6gb DDR2 1TB OSX Server
Would still need a super user/admin password. You did this logged into an administrative account. Try doing this with a standard user account :). Like you said it comes down to the user who is the biggest security threat to a system.

in man networksetup

The networksetup command is used to configure network settings typically configured in the System Preferences application. The networksetup command requires at least "admin" privileges to run. Most of the set commands require "root" privileges to run.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,940
Reaction score
574
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
Most people, I would bet, run as an administrator (sometime perhaps unknowingly) especially when you consider that the "default" account has admin privileges. Since you don't actually need superuser privileges to use networksetup to change DNS settings, the possibility is there. ;)

Yes, I think we can agree that the best protection against this kind of problem is user knowledge (as is the case for 95% of preventative measures).
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top