[funsec] Rogue DNS Servers

Fergie fergdawg at netzero.net
Wed Mar 28 19:41:45 CDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A couple of colleagues (Feike Hacquebord and Chenghuai Lu) did this
research and published this report.

[snip]

Researchers of Trend Micro have identified a network of more than 115 rogue
DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS
servers exhibit interesting behavior. We found that the DNS servers resolve
most existing domains correctly at the times we queried them. However, for
non-existing domain names, the rogue DNS servers do not return the usual
error message but they instead resolve the domain name to a malicious IP
address.

[snip]

More detail:
http://tmirt.trendmicro.com.ph/blog/2007/03/rogue_dns_servers.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFGCwtDq1pz9mNUZTMRAptdAKCvptaczL4/eAZj98b2+41Kq+5I9wCgu5bj
HaxeEF9q8c44eD+VvDoTr6E=
=42GU
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the funsec mailing list