CPE dns hijacking malware
Hi, It appears that some of my subscribers DSL modems (which are acting as nat routers) have had their dns settings hijacked and presumably for serving ads or some such nonsense. The dns server addresses are statically programmed in and of the onces I have seen, they are not currently responsive, leading to slow page loads or 404 errors and hence tech support calls to my support desk. I have set up a resolver that will answer dns queries and have done some routing magic to re-direct queries sent from my customer CPE's to these hijacked dns addresses. This is working for the time being and affected clients don't know about the problem (yet). I realise it's highly likely there are more than just the 2 addresses I have identified so far in the realm of dns hijackers, and so I am I am wondering if anyone has a line on dns server addresses that have been used or are currently in use for dns redirecting malware. I would like to maybe script something so that addresses on such a list would automatically get dropped into a routing table pointing at my special dns resolver. In the future I would also likely set up some sort of web redirect so that any client that queries the special resolver would get a web page explaining they have been hijacked and how to handle it. For now however I just want to stem the tide and make sure clients continue to work and to catch as many of these as I can. Anyone ? Mike-
Re: CPE dns hijacking malware
On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com wrote: It appears that some of my subscribers DSL modems (which are acting as nat routers) have had their dns settings hijacked and presumably for serving ads or some such nonsense. How do you think this was accomplished? Via some kind of Web exploit customized for those devices and targeting your user population via email or social media, which tricked users into clicking on something that accessed the Web admin interface via default admin credentials or somsesuch; or via some direct attack on the CPE devices themselves; or via some other method? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: CPE dns hijacking malware
On 11/12/2013 1:12 AM, Dobbins, Roland wrote: On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com wrote: It appears that some of my subscribers DSL modems (which are acting as nat routers) have had their dns settings hijacked and presumably for serving ads or some such nonsense. How do you think this was accomplished? Via some kind of Web exploit customized for those devices and targeting your user population via email or social media, which tricked users into clicking on something that accessed the Web admin interface via default admin credentials or somsesuch; or via some direct attack on the CPE devices themselves; or via some other method? Basically two cases... (1) XSS attack on the router using default (or dictionary) credentials to set the DNS server on the router, or (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal. Have seen both, the latter being more common, and the latter will expand across the entire home subnet in time (based on your lease interval) Jeff
Re: CPE dns hijacking malware
On Nov 12, 2013, at 1:17 PM, Jeff Kell jeff-k...@utc.edu wrote: (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal. Have seen both, the latter being more common, and the latter will expand across the entire home subnet in time (based on your lease interval) I'd (perhaps wrongly) assumed that this probably wasn't the case, as the OP referred to the CPE devices themselves as being malconfigured; it would be helpful to know if the OP can supply more information, and whether or not he'd a chance to examine the affected CPE/end-customer setups. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
