I run anti-spyware programs once a week.
Good, but this attack is perfect for phishing. Even if you're paranoid and manually type in http://paypal.com, if the attacker has gotten to the DNS server you're using you'll still get sent to the fake site.
Tech ping.
Actually, there are several things you can do.
You could run a local DNS caching server on you home network, for example. It's pretty easy to set one up in Linux, BSD, or Solaris.
Or you could just configure you TCP/IP connection to use a DNS server known to be reliable. The OpenRoot Foundation's DNS servers are quite good, and they invite everyone to use them:
http://support.open-rsc.org/
This thing keeps moving my home page from google to some searchnet crap and it keeps putting crap in my favorites. We have anti-spyware up and running but everytime I start up my computer it gets high-jacked. Any clue as to how to get rid of this?
Who proof reads this stuff?
Those whose ISPs are smart and thus running Linux should not see any issues at all.
Not to be confused with ptomaine poisoning...
I just lost my computer to these evil bast*ards. I ended up hijacked to about.com. As I began running spyware, adware, & malware programs to clean the machine (one program alone found over 189 pieces of malicious programs & registry entries!) my computer became more & more unstable. At one point, the video began to flash (like it was trying to refesh itself) which prevented me from navigating by mouse. I finally found, quarantined, & deleted a program called "lexplore" which is the Sodabot virus. This gave me back SOME functionality, but most of my Microsoft programs had been uninstalled or disabled. Control Panel, for instance, was gone completely. I can't say for a certainty how my machine was infected, but I don't think it's a coincidence that I had just finished downloading Windows & Explorer updates. I am thus assuming that the Microsoft server was compromised.
Computer is now with my Geek getting a fresh install of everything right down to the OS & that's going to cost me, bigtime. Why is it that we can't go after the companies who benefit from hijacking through class action lawsuits or even under the RICO laws of the U.S.? I understand having no recourse for companies licensed & located outside the U.S., but there's a lot of U.S. companies that obviously stand to benefit from this malicious invasion. One would have to be a complete idiot to believe that sites like about.com aren't complicit in these attacks.
After 20+ years in the industry I pride myself on being fairly aware of such dangers, but just yesterday I put a new hard disk in a system, installed Windows XP and foolishly installed the networking before I installed service pack 2, the firewall and anti-virus software.
While downloading Verizon's Online DSL and MSN Premium, I picked up a virus. My only contact with the internet was to make initial contact with my provider and the system was infected. It took me a while to figure out what had happened and soon I had lost a day's work.
They could put these punks away for 20 to life and I wouldn't think it was overkill.
Bump for later
The Internet Storm Center Thursday clarified details of the ongoing DNS cache poisoning attack, and how hackers are infecting Windows servers.
After consultations with Microsoft and after receiving additional reports from users on tested methods of protecting Windows servers, the ISC posted a document that outlines its recommendations. Microsoft also revised a Knowledgebase article on its support site.
The design flaw ISC mentioned Wednesday relates to when Windows servers have forwarding enabled. Apparently, Windows DNS servers expect the upstream server -- the one sending data to a second server -- to scrub any cache poisoning attacks, and so accepts all data, regardless of its current setting to protect against cache poisoning.
ICS is asking for help in pinning down under which circumstances this forwarding can create a vulnerability. So far, said ISC analyst Kyle Haugsness, it appears that upstream servers running BIND4 and BIND8 do not clean the poisoned cache before sending to down to the Windows DNS server, while BIND9 does.
Specific recommendations for various BIND configurations have been posted by Haugsness on the Thursday's front page of the ISC Web site.
____________________________________________________________
We have received more technical details on the software configurations that are vulnerable. Thanks to Microsoft for clarifying details on Windows DNS and thanks to numerous others for reporting. We try to get all the technical details right before publishing information on attacks like this, but if we waited until we were 100% sure all the time, we would never be able to notify the community when the attacks are actually happening.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 http://support.microsoft.com/kb/316786
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
There seems to be other possible scenarios where cache poisoning can occur. When forwarding to another server, Windows DNS servers expects the upstream DNS server to scrub out cache poisoning attacks. The Windows DNS server accepts all data that it receives, regardless of the setting for protecting against cache poisoning. So vulnerability of the attack depends upon whether the upstream DNS server is filtering out the attack.
We are currently trying to determine the behavior of DJBDNS, and BIND versions 4, 8, and 9 when acting as a forwarder. We are asking for assistance from the community to determine their behavior so write us if you have details. It appears that BIND4 and BIND8 do not scrub the data, whereas BIND9 does. See the following scenarios:
Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned.
Windows DNS --> forwarding to BIND9. This configuration seems to be secure because BIND9 scrubs the poisoning attempt.
Windows DNS (slave) --> forwarding to Windows DNS (master). In this scenario, your vulnerability is based on the vulnerability of the master. If the master is vulnerable, then it will be poisoned and forward the attack to the slave server, which will also be poisoned. However, if the master is secure then both servers should be safe.
The following recommendations are based on the current assumption that BIND4 and BIND8 forwarders will not filter the cache poisoning attack to its downstream clients. If we find out that this is not the case, then the recommendations may not be valid. If you have Windows DNS servers forwarding to BIND4 or BIND8, you should start investigating an upgrade of those BIND servers to BIND9. If upgrading to BIND9 would not be a possibility, a secondary recommendation would be to turn off the forwarding on Windows DNS and allow the server to contact the Internet directly so that it can apply the proper protection against cache poisoning. If you run an ISP and have clients that are using your DNS servers as forwarders, you may want to consider upgrading your resolvers to BIND9 in order to protect your clients.
Alternatively, if you have Windows DNS servers that are functioning as forwarders then you should verify that those machines are protected, which should protect the rest of the DNS servers behind it.
bump .... thank God for checkpoint and SMART DEFENSE.
bookmark for later