The DNSchanger threat is not new, but it has resurfaced and is still annoying and dangerous. To completely comprehend the severity of this threat, it is important to understand the what, how and why of DNS.
So, ... what is the DNS? DNS is geek speak for Domain Name System. This is a means of changing the meaningful names of websites, such as www.bbc.co.uk, into a numerical value understandable to the various networking equipment that constitute the infrastructure of any network, even the biggest network namely the internet. Essentially it is a database that is used to identify the elements of the network with the intention of discovering the destination, and the best route to this destination, for requests made. There is much more to DNS than can be dealt with by a blog, however, in this instance you now have enough information to understand the threat.
DHCP Is geek speak for Dynamic Host Configuration Protocol. When a computer is connected to a network or Wireless access point, It will require some settings to make it work, such an IP address, Gateway address and DNS server address. These elements are only some of the many that need to come together to permit working on a network. With the exception of Wireless, there are 2 ways of ensuring that the computer obtains these settings, namely static and dynamic. Static addresses are entered manually and are changeed manually, whereas dynamic addresses are not. In order to obtan the dynamic addresses, the newly attached computer must first be set to obtain these dynamically by enabling DHCP. Once this is done, the computer will then send a DHCP request to the DHCP server on that network. After various handshakes and authentications, the server issues all the details for the computer to use. This is called a DHCP lease. The computer is now configured to use all the proper addresses in ordser to work on the network. In an ideal world at least.
How is it done? DNSchanger is a trojan that installs itself onto a computer or other network device and waits for DNS and DHCP requests. When this trojan detects that a DHCP request has been made, it responds before the DHCP server can and issues a false DHCP lease. False because it sets up incorrect routes and destinations by claiming to be the DNS server. When the computer then requests a website, it is directed by the false DNS to go elsewhere. This is usually a website that closely matches the website that was initially requested. Some are so convincing that most people are fooled by them, however, if you scrutinize these sites, you will always discover something odd that gives it away.
Why is it done? These websites are desinged to log and grab all the details you enter, and thereby grant the malicious of this world access to your accounts. These websites are called phishing websites, and they fish for your personal data.
Keep your system and all anti-malware (anti-virus, anti-spam, etc.) completely up to date and also make a note of the following address range. DNS settings with this address range being used should be considered suspicious.
The range 85.112.0.0 to 85.127.255.254 possibly indicate a compromised computer.
Periodically, run a full antivirus scan with the latest definitions to ensure you remain safe.
As always ... be cautious and use your common sense.
And here we go once more
14 years ago
No comments:
Post a Comment