Erik Wu & Feike Hacquebord Trend Micro
download slides (PDF)
The DNS (Domain Name System) service is one of the most important Internet services allowing users to enter website domain name addresses like www.vb2007.com instead of the site's numerical IP address, which can be difficult to remember. DNS is responsible for translating entered domain names to their equivalent IP addresses. In this case, it translates www.vb2007.com to, say, 198.252.244.2.
But can users trust a DNS server? What if the user's system is infected by a rogue DNS-changing trojan that directs users to a rogue DNS server? In this case, the rogue DNS server can translate www.vb2007.com to an IP address controlled by bad guy(s), who can present a fake website looking like the legitimate VB2007 site to steal user personal information.
In this talk, we are going to present an in-depth analysis of a real, large-scale rogue DNS network, which is comprised of more than 600 identical rogue DNS servers. We are going to show concrete examples and to discuss how the rogue DNS servers are used for click fraud and stealing personal information. We will also describe how to automatically detect such a large-scale rogue DNS network, and to prevent rogue DNS attacks in the future.
The fact that there is such a large-scale rogue DNS network suggests that the bad guys are making a lot of profit by deploying their rogue DNS servers. Rogue DNS-changing trojans and their corresponding servers are a serious threat to Internet users; the fact that changes in DNS settings might remain unnoticed by affected users for a long time makes them dangerous. It can monitor user Internet surfing habits for a long period of time. The bad guys behind the rogue DNS servers can also launch targeted attacks aimed at limited groups of infected Internet users.