jerome1232 Posted February 26, 2012 Report Posted February 26, 2012 Does that mean you still don't understand my comment?I'm not going to answer irrelevant questions. I suggest you research dns servers, and how they work in a hierarchy, starting from root dns servers. If you think your question is relevant, can you explain how?As I read it, it is somewhat relevant. They didn't infect already existing DNS servers, they setup rogue DNS servers and created a trojan which set your ip settings to use their rogue DNS server. As far as I can tell the trojan was also capable of attacking your router, I'm assuming a computer attached to the router had to run the trojan to do so, making OS still somewhat relevant.All this is moot really since the trojan was written Macintosh and they were affected. Quote
Mahone Posted February 26, 2012 Report Posted February 26, 2012 (edited) As I read it, it is somewhat relevant. They didn't infect already existing DNS servers, they setup rogue DNS servers and created a trojan which set your ip settings to use their rogue DNS server. As far as I can tell the trojan was also capable of attacking your router, I'm assuming a computer attached to the router had to run the trojan to do so, making OS still somewhat relevant.All DNS servers also use DNS servers right up until root DNS servers. If a DNS server isn't isn't aware of the IP address of a domain name, it asks the DNS server above it in the hierarchy and so on and so forth until it reaches a root DNS server, after which, it gives up.Your computer right now can be used as a DNS server, it just needs to be configured to be one, which is really simple to do. But it will need to be given the address of another DNS server of where to get information from if it doesn't know what the IP address of a domain name is. Depending on the configuration of that DNS server, the modifications the trojan makes will make that DNS server above it in the hierarchy the illegitimate one. If one of those windows based DNS servers in any part of the hierarchy above an OSX machine is infected (we're working on the assumption that no OSX machines are directly infected), the mac will display exactly the same symptoms as a windows machine would.In a large portion of real world scenarios, macs will be using windows based DNS servers. If that windows DNS server is infected, depending on its configuration, it can easily give out illegitimate DNS records to the OSX machines (and any other machines of any operating syste,) below it. Ergo, macs are also vulnerable.In our environment, we have both windows and linux DNS servers. All of our ~70 macs are getting their DNS information from windows machines.The point I'm trying to make really is that OSX machines are not independent of windows machines, particularly in corporate networks, but domestic users aren't completely immune either. With issues such as DNS that works in a hierarchy system, it doesn't matter what operating system you use, you can still be affected. Edited February 26, 2012 by Mahone Quote
jerome1232 Posted February 27, 2012 Report Posted February 27, 2012 Again, the trojan wasn't directed at infecting DNS servers it was directed at infecting client computers. To my knowledge a DNS servers DNS settings wouldn't affect which DNS server it runs to when it doesn't know the answer since it knows other DNS servers by ip not by name, (if i recall correctly, it's been a long time since I've messed with bind9 to be honest, I could be wrong) I didn't think about Windows DNS servers being infected, the fact that this is a trojan doesn't lend itself well to infecting a server, if someone is surfing questionable websites on the admin account on a SERVER and downloading codecs, well they need a very, very stern lesson on server security. BTW a quick google search, shows the trojan works on OSX. Quote
Mahone Posted February 27, 2012 Report Posted February 27, 2012 I didn't think about Windows DNS servers being infected, the fact that this is a trojan doesn't lend itself well to infecting a server, if someone is surfing questionable websites on the admin account on a SERVER and downloading codecs, well they need a very, very stern lesson on server security.Indeed. Would be far from the first time it's happened though, lets face it - best practice and real world scenarios are not the same thing.Although the two registry keys that this particular trojan modifies would not affect the DNS server operation in a typical "out of the box" setup on a windows server operating system, there are other configurations that it would affect. Plus, it only has a modify a couple of additional registry keys for it to also affect out of the box setups too. A very small variant of this trojan could do exactly that. Additonally, while this particular piece of malware would have to be run with user interaction, there are plenty of others that exploit zero day vulnerabilities that don't.As I said in my previous post, the point im trying to make is that just because something only directly affects windows machines, it doesn't mean it won't indirectly affect other operating systems too. DNS coruption unfortunately doesn't discriminate by operating system - anything below the machine that is giving out false DNS records, be it linux, OSX or BSD etc. is going to notice the symptoms. This is why I've ignored that fact that this piece of malware also infects OSX machines. Quote
applepansy Posted February 28, 2012 Author Report Posted February 28, 2012 Thank you all for the information and explanations. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.