DNS Hijack (moved from Server problems thread)

[c10ck3r]

Rec'd this from the ABA, thought I'd warn the powers that be.

Infected Users to Receive Warning about July 9 'Internet Doomsday'
OpenDNS and CloudFlare have developed a message alert system to notify more than a half-million U.S. users that they are infected with the DNSChanger malware. Infected users will receive a message on their computer screen suggesting they likely have the DNSChanger malware and are then directed to an OpenDNS Web site which has instructions on how to switch DNS to OpenDNS's trusted servers. The FBI plans to shut down the server on July 9 to prevent infected PCs from reaching the Web. Users who don’t remove the malware by July 9 will have to load anti-virus software on their computers by disc or USB drive, which can be difficult for users who don't have access to a second PC for downloading anti-virus software. See the FBI's Web site for more information.

[chalsall]

Quote:

Originally Posted by c10ck3r

Rec'd this from the ABA, thought I'd warn the powers that be.

I'm not entirely sure that's true. But then again, I wouldn't be surprised.

I personally do not trust OpenDNS. I don't like the fact they answer authoratively for domains which don't exist; covered with ads.

Google's DNS servers at least will say when they don't know the answer. 8.8.8.8 and 8.8.4.4.

Or, you can simply run your own DNS servers, and talk to the root servers.

[c10ck3r]

Quote:

Originally Posted by chalsall

I'm not entirely sure that's true. But then again, I wouldn't be surprised.
(Snip snip)

Well, I assure you it was from the American Banking Association, who forwarded it to my employer (a member bank).
The FBI link is legit, and I made sure by accessing via the generic fbi.gov site before posting.

[Dubslow]

This isn't the first time I've heard about this; the FBI has been issuing warnings via various methods (including the news, I believe) for at least 6 months now. That's why I had no trouble believing this.

[chalsall]

Quote:

Originally Posted by c10ck3r

Well, I assure you it was from the American Banking Association, who forwarded it to my employer (a member bank). The FBI link is legit, and I made sure by accessing via the generic fbi.gov site before posting.

OK.

My issue is I don't like how OpenDNS deals with resolution of domains which don't exist. According to RFC 2606, when a domain name server doesn't know the answer to a question, it should say so.

OpenDNS answers all DNS queries; those it doesn't know about it answers with the IP of a web server which starts with ads.

For example, from the Unix, first quering OpenDNS:

Code:

[chalsall@burrow ~]$ dig @208.67.220.220 thisshouldnotresolve.com

; <<>> DiG 9.8.2-RedHat-9.8.2-1.fc15 <<>> @208.67.220.220 thisshouldnotresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16219
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thisshouldnotresolve.com.	IN	A

;; ANSWER SECTION:
thisshouldnotresolve.com. 0	IN	A	67.215.65.132

Then, asking Google's DNS:

Code:

[chalsall@burrow ~]$ dig @8.8.8.8 thisshouldnotresolve.com

; <<>> DiG 9.8.2-RedHat-9.8.2-1.fc15 <<>> @8.8.8.8 thisshouldnotresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34873
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;thisshouldnotresolve.com.	IN	A

;; AUTHORITY SECTION:
com.			819	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1337294775 1800 900 604800 86400

[bcp19]

Quote:

Originally Posted by Dubslow

This isn't the first time I've heard about this; the FBI has been issuing warnings via various methods (including the news, I believe) for at least 6 months now. That's why I had no trouble believing this.

I read something on this quite a while back, but it seemed most people didn't want to trust the FBI link, mainly due to paranoia about them finding stuff on their systems lol.

[kladner]

Quote:

Originally Posted by bcp19

I read something on this quite a while back, but it seemed most people didn't want to trust the FBI link, mainly due to paranoia about them finding stuff on their systems lol.

That, and I have gotten quite a few phishing-type emails which claim to be from the FBI, as well as from Hillary Clinton, and the usual Russian Oil Tycoons' Widows, HRM The Queen of England, and Nigerian Bankers. And besides, c10ck3r did verify the source. That does leave aside the question of how much faith you want to put into government pronouncements of the scary sort.

I'll try to gather some of my collection of amusing bogus emails and post them over at The Lounge, or wherever that thread is.

[bcp19]

Quote:

Originally Posted by kladner

That, and I have gotten quite a few phishing-type emails which claim to be from the FBI, as well as from Hillary Clinton, and the usual Russian Oil Tycoons' Widows, HRM The Queen of England, and Nigerian Bankers. And besides, c10ck3r did verify the source. That does leave aside the question of how much faith you want to put into government pronouncements of the scary sort.

I'll try to gather some of my collection of amusing bogus emails and post them over at The Lounge, or wherever that thread is.

If I were in the affected group, I would not hesitate to use the FBI assist as I would simply go to the FBI website and look it up there rather than use an email link. Since I get dozens of paypal alerts a month telling me that if I don't respond my account will be locked, I am used to not clicking email links(Unless I am feeling ornery then I use a username like ^$()*&#(^$ or @^$^@$^@ and the email stickit@yourrear.com). Then there's the millions I fail to collect from all my little known relatives who have died in Africa and I've probably lost over a billion dollars so far. God, I must be crazy ;)

[LaurV]

That's bull. Especially the part with "access to a second computer to dld antivirus software". You should have a good sleep and do nothing about it. To avoid any later remorse, you can eventually take eset's not32 from the web, is free for 30 days (and you can reinstall it every 30 days, if you can't afford 25 bucks per year per 3 computers). It is the best on the market since 12 years (most vb100 awards), according with virusbuletin, I am using it for more then 16 years (licensed) without any headache in all this time, it is faster then all competitor's who can rival at strengths and much stronger then all the others who can't. It has one of the best heuristics I saw (I know what I am talking about, I did thousands of tests, and I proudly own a "small virus collection" with over 30 thousands virus families).

[PageFault]

How about responsible use of the intarweb ... 25 years here, only 1 virus, which was removed as a still dormant trojan ... that was 12 years ago. Any time you see "click hear for free money / pr0n / whatever", head for the hills ...

Symantec does it for the rest ...

[Dubslow]