Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

timothy posted more than 2 years ago | from the blame-the-feds dept.

Security 193

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."

Sorry! There are no comments related to the filter you selected.

HAHA !! DSL SUXORS !! (-1)

Anonymous Coward | more than 2 years ago | (#40032441)

But then cable is terribly unreliably here at TWC !!

Re:HAHA !! DSL SUXORS !! (1)

Jeng (926980) | more than 2 years ago | (#40032735)

I have had nothing but good service from TWC here in Austin, I understand that in some other markets though that they do indeed suck.

My experience with DSL though has been nothing but shitty. YMMV.

Re:HAHA !! DSL SUXORS !! (1)

ender- (42944) | more than 2 years ago | (#40033029)

I have had nothing but good service from TWC here in Austin, I understand that in some other markets though that they do indeed suck.

My experience with DSL though has been nothing but shitty. YMMV.

DSL Used to be awesome, esp if you could get a 3rd party provider like Speakeasy. Once AT&T was able to avoid giving access to Speakeasy though, it went downhill quickly and has sucked ever since.

TWC sucks massively here in Arlington,Tx. One of the issues is that they route me through Houston, even if i'm connecting to my work systems a few miles away. But then if I try to access a system in Houston, it sends the traffic down to Houston, back to Dallas, then back down to Houston.

And those are my options. Nearly non-functional DSL limited to 6Mbps [but only actually getting 3Mbps most of the time] or horribly inefficient TWC at 30Mbps but that routes me all over the place and drops packets like nobody's business...

8.8.8.8 (4, Informative)

windcask (1795642) | more than 2 years ago | (#40032505)

What DNS issues?

Re:8.8.8.8 (1)

Anonymous Coward | more than 2 years ago | (#40032583)

+1

This is much faster than my ISP's DNS, and it doesn't redirect misses to crappy ad-pages either.

Re:8.8.8.8 (1)

goombah99 (560566) | more than 2 years ago | (#40034291)

I've read that this can bollix things like Limewire to Akamai by sending you to a far away source rather thant near one that your ISP's DNS would select. I won't pretend to understand that.

Re:8.8.8.8 (2)

thebigmacd (545973) | more than 2 years ago | (#40034369)

Google DNS uses anycast, which should actually give you a DNS server right close to you.

Re:8.8.8.8 (1)

Spikeles (972972) | more than 2 years ago | (#40034701)

Maybe someone should let Google know that it doesn't work.
nslookup a1.phobos.apple.com 8.8.8.8
Name: a1.da1.akamai.net
Address: 203.106.85.64

tracert 203.106.85.64
7 pos0-3-0.bdr2.nrt1.internode.on.net (203.16.211.6) 180.163 ms 180.985 ms 182.178 ms
8 as4788.ix.jpix.ad.jp (210.171.224.194) 229.548 ms 213.651 ms 214.562 ms
9 * * *
10 203.106.85.64 (203.106.85.64) 230.374 ms 228.848 ms 229.060 ms

nslookup a1.phobos.apple.com
Name: a1.da1.akamai.net
Address: 203.206.129.16
7 te1-4.syd-ult-bdr1.iinet.net.au (203.215.20.31) 77.949 ms 79.208 ms 80.695 ms
8 203-206-129-16.deploy.akamaitechnologies.net (203.206.129.16) 82.029 ms 66.178 ms 66.436 ms

Re:8.8.8.8 (1)

Spikeles (972972) | more than 2 years ago | (#40034827)

Read the first couple of paragraphs here [ietf.org] .

Re:8.8.8.8 (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40032681)

Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!

Re:8.8.8.8 (4, Informative)

philip.paradis (2580427) | more than 2 years ago | (#40032753)

Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.

Re:8.8.8.8 (2)

bws111 (1216812) | more than 2 years ago | (#40032939)

How many DNS providers (usually your ISP) have business models that depend on knowing as much about people as they possibly can?

Re:8.8.8.8 (4, Insightful)

Lifyre (960576) | more than 2 years ago | (#40033211)

These days? I would bet more than 50% by traffic probably A LOT more by traffic...

Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?

Even if they don't use it directly many of them are selling it to someone who does.

Re:8.8.8.8 (2, Interesting)

Anonymous Coward | more than 2 years ago | (#40033117)

feel free to operate your own resolvers

I do. It's easy. [unbound.net]

Re:8.8.8.8 (1)

philip.paradis (2580427) | more than 2 years ago | (#40034403)

Unbound is indeed fantastic. It's my resolver of choice, and I use it heavily.

Re:8.8.8.8 (1)

Jon Stone (1961380) | more than 2 years ago | (#40033125)

feel free to operate your own resolvers.

Preferably with DNSSEC turned on.

Re:8.8.8.8 (1)

GuidoW (844172) | more than 2 years ago | (#40035417)

Anyone know how to make djbdns DNSSEC aware? (Yes, I know that djb himself is opposed to DNSSEC and is trying to push DNSCURVE instead...)

Re:8.8.8.8 (0)

Anonymous Coward | more than 2 years ago | (#40033395)

Any DNS provider you use can do the same thing.

Not quite. Google's TOS states that you give them full irrevocable rights to anything you access using their service. This is not a common clause and agreeing to such terms for a DNS server seems foolish to me.

Re:8.8.8.8 (3, Informative)

Baloroth (2370816) | more than 2 years ago | (#40033695)

No they don't. See their FAQ [google.com] .

Re:8.8.8.8 (0)

Dishevel (1105119) | more than 2 years ago | (#40033769)

Luckily he was anonymous so we can never tell which he is working for...Apple or Microsoft.

Re:8.8.8.8 (1)

Anonymous Coward | more than 2 years ago | (#40033953)

Unless he was using Google's DNS, in which case they'll know.

Re:8.8.8.8 (0)

Anonymous Coward | more than 2 years ago | (#40035281)

No they don't. See their FAQ [google.com].

Yes they do say state that. This is not a debatable issue.

That FAQ puts no legal limits on anything Google does. Why did you link to it?

See their TOS. Specifically this part:

"you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones."

Notice the tricky wording of things like "Google (and those we work with)" and "limited purpose of operating ... our Services". Can you think of a single thing they could do with your information that would not fall under those terms? I am a lawyer and I can not.

Re:8.8.8.8 (2)

mcavic (2007672) | more than 2 years ago | (#40033649)

feel free to operate your own resolvers

Your ISP can still sniff your traffic.

Re:8.8.8.8 (3, Informative)

PReDiToR (687141) | more than 2 years ago | (#40033885)

If this bothers you, or anyone else, try to use https and secure connections wherever possible.
This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.

HTTPS-Everywhere [eff.org] helps.

Re:8.8.8.8 (3, Insightful)

philip.paradis (2580427) | more than 2 years ago | (#40034117)

Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.

Re:8.8.8.8 (0)

hairyfeet (841228) | more than 2 years ago | (#40034775)

Or you can use Comodo DNS [comodo.com] which is good about blocking malware infested sites, or Open DNS [opendns.com] or one of the dozen or more free DNS servers out there.

If someone wants to use Google for DNS I hear that its a good service but it isn't like we don't have a wealth of choices out there. No need to go through the hassle of running your own resolver unless you just want to.

Re:8.8.8.8 (1)

andydread (758754) | more than 2 years ago | (#40034965)

meh ... sudo apt-get install bind9

Re:8.8.8.8 (5, Insightful)

foradoxium (2446368) | more than 2 years ago | (#40032813)

I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..

http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288 [hawaii.gov]

all it takes is this legislation to gain footing in a few states, then the rest start caving.

Google watching you really should be the least of your online privacy worries..

Re:8.8.8.8 (1)

EvanED (569694) | more than 2 years ago | (#40032923)

Feel free to suggest alternative public DNS servers. I use Google's so that failed requests, you know, fail, unlike the DNS servers that the ISPs around here provide.

harumph! (5, Funny)

Anonymous Coward | more than 2 years ago | (#40033027)

DNS? pshaw!
If you just listened to APK and put everything in your HOSTS file, you wouldn't have to worry about any of this folderoll!

Re:harumph! (4, Funny)

Anonymous Coward | more than 2 years ago | (#40033293)

DO NOT SUMMON HIM!

I don't put "everything" in my custom HOSTS file (0, Interesting)

Anonymous Coward | more than 2 years ago | (#40034765)

I only have 50 of my fav. sites "hardcoded" into it w/ their IP addresses resolved via reverse DNS pings (ping -a in Windows) to the ARPA "TLD" ( .in-addr.arpa ) that maintains that information (so it isn't bogus) via reverse DNS checks!

Then I block off 1,776,632++ KNOWN bad sites/servers/hosts-domains KNOWN to serve up malicious code or malware, botnet C&C servers, bogus DNS servers, adbanner servers & more threats or slowdowns online...

I do so, "automagically" every 15 minutes via a custom hosts file mgt. program that does the following for end users (Calling it "APK Hosts File Engine 5.0++"):

---

1.) Offers massively noticeable increased speed for websurfing via blocking adbanners

2.) Offers increased speed for users fav. sites by hardcoding them into the hosts file for faster IP address-to-host/domain name resolutions (which sites RARELY change their hosting providers, e.g.-> of 250 I do, only 6 have changed since 2006 - & when sites do because they found a less costly hosting provider? Then, they either email notify members, put up warnings on their pages, & do IP warnings & redirectors onto the former IP address range to protect vs. the unscrupulous criminal bidding on that range to buy it to steal from users of say, online banking or shopping sites).

3.) Better "Layered-Security"/"Defense-In-Depth" via blocking host-domain based attacks by KNOWN bad sites-servers that are known to do so (which IS, by far, the majority of what's used by both users (hence the existence of the faulty but for most part working DNS system), AND even by malware makers (since host-domain names are recyclable by they, & the RBN (Russian Business Network & others)) were doing it like mad with "less than scrupulous", or uncaring, hosting providers)

4.) Better 'anonymity' to an extent vs. DNS request logs (not vs. DPI ("deep packet inspection"))

5.) The ability to circumvent unjust DNSBL (DNS Block Lists) if unjust or inconveniences a user.

6.) Protection vs. online trackers

7.) Better security vs. the DNS system being "dns poisoned/redirected" (a known problem for recursive DNS servers via port 51/53 misdirection)

8.) Write protecting the hosts file every 1/2 second (supplementing UAC) - even if/when you move it from the default location via this registry entry (which if done, can function ALMOST like *NIX shadow passwords because of this program):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

And changing the "DataBasePath" parameter there (I do this moving it to a faster media, a "true SSD" using DDR-2 RAM, in the 4gb Gigabyte IRAM I have).

9.) Automatic downloading & Alphabetic sorting of hosts files' records entries (for easier end user mgt. manually) from 15 reliable sources (of 17 I actually use).

10.) Manual editing of all files used (hosts to import list, hosts itself in its default location of %windir%\system32\drivers\etc, the hosts files to import/download & process, & favorite sites to reverse dns ping to avoid DNS (noted above why)).

11.) Removal scanners (if the users decide to remove hosts entries from imported data they can check if the site is indeed known as bad or not (sometimes 'false positives' happen, or just bad entries, or sites clean themselves up after infestation due to vulnerable coding etc./et al)).

12.) Removal of bloating material in many hosts files like Comments (useless bulk in a hosts file that's "all business")

13.) Removal of bloating material in many hosts files like Trailing comments after records (produces duplicates)

14.) Removal of bloating material in many hosts files like Invalid TLD entries (program checks this in a BETTER method than the API call "PathIsURL")

15.) Removal of bloating material in many hosts files like Trims entries (vs. trailing blanks bloat on record entries)

16.) Removal of bloating material in many hosts files like the conversion of the larger & SLOWER 127.0.0.1 blocking "loopback adapter" address (slower due to larger size bytes wise to parse, & slower if loopback happens) to the smaller/faster to parse & load 0.0.0.0

17.) Uniformity of ALL entries in hosts (as to records inserted & format they use - reducing bloat AND repeated bloating entries).

18.) Filtration-Removal of sites that IF in a hosts file are KNOWN to cause problems on larger portals that use CDN etc.

19.) Custom hosts files protect ALL webbound programs, not just webbrowsers (like AdBlock addons, & it doesn't even block ALL adbanners by default anymore) & it does so @ a more efficient faster level (Ring 0/RPL 0/Kernelmode) acting merely as a filter for the PnP design IP stack, vs. the slower level webbrowser programs & their addons operate in (Ring 3/RPL 3/Usermode), which addons slow them even more by "layering on" parsing & processing that browser addons layer on.

20.) Custom hosts files also offer the speedup to favorite sites noted above, & even firewalls + browser addons do NOT offer that...

---

Mr. Steven Burn of hpHosts/malwarebytes (who is hosting the program soon for me no less) says it is "excellent work"... & he is a coder himself, mind you. Doubt that? Write him here & inquire on that much -> services@it-mate.co.uk

* Can you state you're absolutely protected vs. that many bogus sites/servers/hosts-domains that are KNOWN to be harmful to you OR slow you down &/or attempt to "enslave" your system?

I doubt it...

(The rest is covered by common-sense procedures like NOT using java/javascript &/or plugins on "every site under the sun" via tools like NoScript in Firefox-Mozilla products, IE9 TPL's, & Opera "by site" preferences... including AdBlock addons for extra "layered-security"/"defense-in-depth"... all noted here -> http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Search&gbv=1&sei=fHW1T_TDOqGY6QGw7pXsDw [google.com] written by "yours truly", & yes, it actually works... )

So, so much for YOUR b.s., trying to make it sound as if I attempted to 'hardcode in' every site address there is on the internet as hardcoded favorites, because I do not DO that... & also of course, you're welcome to disprove ANY of the above, as well as what's below extolling the virtues of HOSTS files for added security, speed, reliability, & even anonymity to an extent vs. DNSBL's + DNS Request logs too...

(Good luck - you'll NEED it, because nobody here on this site or others have managed to do that...)

APK

P.S.=> 21++ ADVANTAGES OF HOSTS FILES over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs):

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads (not anymore apparently, lol:

Adblock Plus To Offer 'Acceptable Ads' Option

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org] )

in only browsers & their subprogram families (ala email), but not all, or, all independent email clients, like Outlook!)

Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions (in-addr.arpa) via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operations acting merely as a filter for the IP stack (via the "Plug-N-Play" designed IP stack in Windows) vs. SLOWER & LESS EFFICIENT Ring 3/RPL 3/Usermode operations (which webbrowsers run in + their addons like AdBlock slow down even MORESO due to their parsing operations).

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code (to customize it better than the GUI front does @ least). With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

Adbanners slow you down & consume your bandwidth YOU pay for:

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

21.) Custom HOSTS files gain users back more "screen real estate" by blocking out banner ads...

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( http://adblockplus.org/en/ [adblockplus.org] ), IE 9's new TPL's ( http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] ), &/or NoScript ( http://noscript.net/ [noscript.net] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( http://adblockplus.org/en/ [adblockplus.org] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

---

DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]

---

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]

---

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]

---

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]

---

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]

---

Photobucketâ(TM)s DNS records hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]

---

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
OpenDNS -> http://www.opendns.com/ [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

20++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ [someonewhocares.org] and http://winhelp2002.mvps.org/hosts.htm [mvps.org] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to 127.0.0.1" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525) Homepage

"A hosts file certainly does not require "a lot of work/b"" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)

---

Then, there is also the words of respected secur/b OpenDNS does phishing protection. Each page lists how on Thursday November 17, @10:08AM (#3808566/b6)ity exp/bert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

PERTINENT QUOTES/EXCERPTS:

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

---

* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 26++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]

---

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point #20 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apkb http://tech.slashdot.org/comments.pl?sid=1461288go=cid=34713952 [slashdot.org]
cid=34713952

Re:harumph! (1)

Just Some Guy (3352) | more than 2 years ago | (#40034833)

I hate you for that.

Re:8.8.8.8 (1)

Anonymous Coward | more than 2 years ago | (#40034737)

http://server.privacyfoundation.de/index_en.html

87.118.100.175
94.75.228.2
62.141.58.13
87.118.104.203
87.118.109.2

Even supports access on port 110 in case your ISP blocks port 53. You're welcome.

Re:8.8.8.8 (0)

Anonymous Coward | more than 2 years ago | (#40032799)

Unban Ethanol-fueled

Re:8.8.8.8 (1)

wmbetts (1306001) | more than 2 years ago | (#40033275)

He got banned?

Re:8.8.8.8 (0)

Anonymous Coward | more than 2 years ago | (#40033777)

Why is that comment rated so highly? The issue isn't with any one DNS provider. The issue is that there are hundreds of thousands of DSL modems that were manipulated by a piece of malware running on the local network and these modems now use (and relay to the local network) a DNS server at an address which used to be operated by the same people who distributed the malware. The addresses are now under the control of the FBI which has operated a DNS server in the meantime, but that "service" is going to be turned off and then all the people who don't realize that their DNS resolver has been highjacked will stop being able to use the Internet. You can tout Google's DNS server all you want: That's not going to help those who are oblivious to the problem. In other words, it's PEBCAC, not a DNS problem.

How DO I know that the checker web page is legit (1)

goombah99 (560566) | more than 2 years ago | (#40034373)

If DNS changer redirects gov.au then I could be looking at the look-alike DNS changer checker telling me all is fine? They should have listed this as an IP address.
My computer says it is 165.191.2.65 Is that what yours says?

Re:8.8.8.8 (0)

Anonymous Coward | more than 2 years ago | (#40034567)

8.8.4.4, too.

4.2.2.[1-6] work as well.

Why not warn them? (4, Insightful)

l_bratch (865693) | more than 2 years ago | (#40032513)

Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?

Re:Why not warn them? (3, Informative)

jeffmeden (135043) | more than 2 years ago | (#40032539)

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

Re:Why not warn them? (0)

Anonymous Coward | more than 2 years ago | (#40032889)

They couldn't if their DNS doesn't return anything but the warning page.

Re:Why not warn them? (4, Insightful)

n5vb (587569) | more than 2 years ago | (#40032973)

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

They couldn't if their DNS doesn't return anything but the warning page.

You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..

Re:Why not warn them? (1)

ArhcAngel (247594) | more than 2 years ago | (#40033277)

THIS!

"Please...sir, if you stop yelling at me long enough I can explain to you why yelling at the computer guy will not get your internet fixed..."

Why bother warning them? (1)

plover (150551) | more than 2 years ago | (#40032689)

Why warn them at all? If they can't be bothered to keep their equipment in good working condition, which means free of malware, the rest of the internet doesn't need them polluting the waters.

We don't let people drive cars on public roads that risk the safety of the other drivers. Why should we put up with an infected virus-spewing computer?

Re:Why bother warning them? (1)

l_bratch (865693) | more than 2 years ago | (#40032767)

I see your argument, but they could do it purely to reduce the burden for all these clueless user's tech support people. Whether you like it or not, they are going to want their "internet" fixed...

Re:Why bother warning them? (0)

Anonymous Coward | more than 2 years ago | (#40032831)

It's not a burden. It's how I pay the bills.

Re:Why bother warning them? (4, Informative)

n5vb (587569) | more than 2 years ago | (#40033015)

There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.

(And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)

Re:Why bother warning them? (0)

Anonymous Coward | more than 2 years ago | (#40033141)

i have spent close to 7 years working help desks, and i couldnt have said it better myself

Re:Why bother warning them? (0)

Anonymous Coward | more than 2 years ago | (#40033591)

But what does my not-working internet have to do with email?

Re:Why bother warning them? (2)

idontgno (624372) | more than 2 years ago | (#40032825)

(A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.

(B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do you keep those criteria from devolving into some kind of corporatist rights grab a la pernicious DRM?

And (C), if you're not advocating public net-worthiness inspections of computers, your analogy breaks down, since the virus-infected computers in question have already had their road-safety incident. So, your phrase, more accurately stated, is "We don't let people drive cars on public roads that have already risked the safety of other drivers", in which case the response is "of course not, they're already wrecked."

Re:Why bother warning them? (4, Funny)

n5vb (587569) | more than 2 years ago | (#40033081)

I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...

Re:Why bother warning them? (1)

idontgno (624372) | more than 2 years ago | (#40034561)

C'mon, you know it's inevitable.

How can he possibly resist the maddening urge to eradicate [his computer] at the mere push of a single button? The beautiful, shiny button? The jolly, candy-like button? Will he hold out, folks? Can he hold out?

you've won a brand new car [analogy] (3, Funny)

OrangeTide (124937) | more than 2 years ago | (#40032841)

"We don't let people drive cars on public roads that risk the safety of the other drivers."

Is that really true? I'm having difficulty believing that.

I think a better car analogy is:

"We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"

Re:you've won a brand new car [analogy] (1)

Chris Mattern (191822) | more than 2 years ago | (#40036117)

"We don't let people drive cars on public roads that risk the safety of the other drivers."

Is that really true? I'm having difficulty believing that.

Why is it hard to believe? In the US, at least, it's completely true; you can be ticketed for driving an unsafe car. Most states also have a regular safety inspection requirement. Here in Virginia, a car must get a safety inspection yearly and a car that does not have a valid inspection sticker (which displays the expiration date in big bold numbers) is not legal to drive on public roads.

Re:Why bother warning them? (1)

Jeng (926980) | more than 2 years ago | (#40032847)

If it was at all hard to warn them I would see your point, but warning them is so trivial that there is no reason not to do it.

Even with the warning though it ain't going to change anything. It will probably just freak them out.

Re:Why bother warning them? (1)

idontgno (624372) | more than 2 years ago | (#40034641)

But if the warning comes with a nice download link to fix the problem, that they can just click and make it all go away...

No, wait. Prior art. [wikipedia.org] The bad guys have already beat us to it.

I guess the only responsible thing we can do is freak them out and then disconnect 'em and put 'em out of our misery.

Re:Why bother warning them? (1)

lgw (121541) | more than 2 years ago | (#40032867)

You must seriously not have anyone who turns to you for tech support who has the ability to make you miserable if she, err, they want to.

Not to mention, this isn't about infected computers, but infected DSL modems, and how sure are you about yours, again? Or about whatever sits between the no-doubt-godlike-perfection of your PC and the DNS server? I seriosly don't want to have to care about policing parts like that.

Re:Why bother warning them? (0)

Anonymous Coward | more than 2 years ago | (#40033103)

We don't let people drive cars on public roads that risk the safety of the other drivers.

Yes we, do and ritely so. Nothing in the constitutian says that car's must be roadorthy or driver's sober. In a true democracy, there will be free road's and nani state road's and people will be able to chose which one's to drive on.

--
roman_mir posting as AC forgot passwaor

Re:Why bother warning them? (0)

Anonymous Coward | more than 2 years ago | (#40033335)

Why warn them at all? If they can't be bothered to keep their equipment in good working condition, which means free of malware, the rest of the internet doesn't need them polluting the waters.

We don't let people drive cars on public roads that risk the safety of the other drivers. Why should we put up with an infected virus-spewing computer?

Considering this is slashdot, I'm sure your stance is that you should be able to use your internet connection however you want. It should be a dumb pipe. You should have unlimited access to spew out whatever you want because it's YOUR connection. If, for some reason, something responds badly to what you're spewing out, then it's not your problem. They should have configured their firewall better.

Yet, you wrote what is quoted.

It's popular on slashdot to exclaim that virus-infected computers should be cutoff from the internet by their ISP. But the gods be damned if you get throttled because of too many peer-to-queer downloads. I know you're not saying that in your post, but it reeks of that sentiment. And I've seen that sentiment a lot on this site.

HOLY CRAP, WHAT A TYPO! (2, Funny)

Anonymous Coward | more than 2 years ago | (#40033947)

peer-to-queer downloads

what an embarrassing Freudian slip.
you're running the buttorrent client I take it?

Re:Why bother warning them? (1)

Lumpy (12016) | more than 2 years ago | (#40033491)

"We don't let people drive cars on public roads that risk the safety of the other drivers."

you must not drive much. Here in Michigan out roads are full of complete morons that cant drive without being a risk to others.

Re:Why bother warning them? (1)

eyenot (102141) | more than 2 years ago | (#40034955)

I highly agree. It gives the whole sandbox thing a shiny glow.

Re:Why not warn them? (1)

bws111 (1216812) | more than 2 years ago | (#40032845)

I think that is an awful idea. The last thing you want to do is train people that it is OK, under any circumstances, to do what an unexpected or unsolicited web page says. That is, after all, exactly how scareware winds up getting installed.

The best thing to do is let them fail, and gear up the help desks to be ready with the onslaught of calls.

Re:Why not warn them? (1)

Verunks (1000826) | more than 2 years ago | (#40032901)

opendns [opendns.com] is doing that but I think it's limited to websites hosted on cloudflare that enabled this warning so probably not many

Captain Obvious (1, Interesting)

stretch0611 (603238) | more than 2 years ago | (#40032551)

The FBI has control of the DNS servers. Why can't they just resolve every address to point to a webserver instructing people how to fix their DNS settings?

Re:Captain Obvious (2)

jeffmeden (135043) | more than 2 years ago | (#40032683)

Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.

What is more interesting is that they dont make any stabs at guessing how many of the victims are on what providers (just referring to them as "DSL".) Why not name names? You have the IPs of the vics. If AT&T saw 150,000 customers about to go dark, and so did Verizon and so did CenturyLink, i suspect the problem would be confronted more directly than a single powerpoint at some conference in *Australia*...

Re:Captain Obvious (1)

Anonymous Coward | more than 2 years ago | (#40032859)

Why not name names? You have the IPs of the vics.

"AAAAAARRRRRG Okay, you know what, nerds? Fuck you. That's it, we give up on keeping you assholes happy. First you spend the greater part of fifteen or so years bitching about how IP addresses don't identify people when it's a convenient argument for piracy, NOW you're bitching at US for not using IP addresses to identify people! So we've had it. Fuck you and your goddamned confusing subculture. You're a minority within a whiny, unpleaseable minority, you systematically find whatever loophole and technicality you can to refuse to give us any money or respect to begin with, and we're cutting off all your internet traffic except to our premium cable TV streaming websites." -- The government and major ISPs

Re:Captain Obvious (1)

Jeng (926980) | more than 2 years ago | (#40032899)

I think he was advocating letting the ISP's know, not the customers directly.

Re:Captain Obvious (1)

Anonymous Coward | more than 2 years ago | (#40033023)

He's talking about send people to a page that tells them they are infected, not remotely fix their crap. After a period of time to make sure they got the message, who cares if they go dark since they didn't fix their pc despite the message. Many people probably don't even know they are infected.

Re:Captain Obvious (1)

bws111 (1216812) | more than 2 years ago | (#40032907)

Because then you are teaching people that under some circumstances it is OK to follow instructions from an unexpected/unsolicited source. Imaging the flood of scareware that would arrive after that: THIS IS THE FBI! CHANGE YOUR DNS SETTINGS IMMEDIATELY!

Captain Obvious is a terrorist. (0)

Anonymous Coward | more than 2 years ago | (#40033795)

You can't do that, it would be efficient and sensible. We've eliminated all that sort of thing from both government and public discourse and we're all better off for it.

Now get back on the couch and drink your Reaganade.

ISP should warn them (2)

crow (16139) | more than 2 years ago | (#40032629)

Assuming that these were modems provided by their ISP, then the ISP has responsibility here. They can easily watch for packets going to the fake DNS servers, and then warn the customers by email, letter, and even phone. They should have done this back when the issue first arose, with steps to correct the problem included in a letter with the monthly bill.

Re:ISP should warn them (5, Funny)

dmacleod808 (729707) | more than 2 years ago | (#40032703)

I dunno, whenever I recieve a letter from my ISP, I immediately destroy my hard drives and torch my house.

Re:ISP should warn them (3, Interesting)

Zocalo (252965) | more than 2 years ago | (#40032791)

That horse has long since bolted. The ISPs were notified, and it's also possible for them to check their IP space for infected hosts at the DNS Changer Working Group's website [dcwg.org] . The sad fact is that the ISPs in question have done the math and come to the conclusion that they can either:
  1. Notify their infected customers, at a cost of $x per customer, probably only to have most of their users either ignore the warning or contact the ISP's support line, potentially at additional cost to the ISP (unless they have a premium rate support service).
  2. Ignore the problem until the FBI's DNS servers are switched off, at which point, hopefully, many of the users will figure out the solution at no cost to the ISP reducing the burden on the ISP's support desk and costs. Hey, everyone has to keeps costs down, right?

Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.

Re:ISP should warn them (2)

toygeek (473120) | more than 2 years ago | (#40035519)

Disclaimer: I work for a 3rd party contractor to Comcast. I don't work directly for them and I don't condone everything they do so lets leave that out of the discussion.

Comcast does exactly this. When they see traffic going to the known hijacked IP's, the customer gets emails, popups, and generally annoyed to hell until they do something about it. Its not always hijacked DNS. Sometimes its one infected device that is not owned by the customer, and its a neighbor who is stealing their wifi. Solution:Secure their wifi. Sometimes they cleaned the infections already, but their router is still hijacked.

AFAIK AT&T does the same thing, or something similar.

As much flack as ISP's get these days, there are some things they actually do right. And, there are some things that they fail so very, very horribly in. In this one, I think they've got it right.

The easy fix (2)

Megane (129182) | more than 2 years ago | (#40032671)

Presumably they know what IP was being checked for DNS. All an ISP has to do is spoof that IP internally with a manual route to their own DNS server. That should save a few truck rolls.

Re:The easy fix (0)

Anonymous Coward | more than 2 years ago | (#40033957)

That would be too smart though.

Let companies bid for them and put ads on error... (2)

stevenh2 (1853442) | more than 2 years ago | (#40032675)

I'm sure some companies will want to buy those servers so they can put ads on those error pages that pop when you enter a nonexistent domain.

When is modem not a modem? (0)

Anonymous Coward | more than 2 years ago | (#40032819)

When it's mostly a router, with a modem grafted on.

Scripted changes (3, Insightful)

dissy (172727) | more than 2 years ago | (#40032891)

I'm not sure I understand the problem...

Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?

And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?

All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.

Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.

Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.

This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.

Re:Scripted changes (1)

uncqual (836337) | more than 2 years ago | (#40033069)

If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.

I don't know much about DNSChanger, but in general I don't think this is necessarily true. If one was going to infect DSL modems with something like DNSChanger, it would be sensible to also attempt to have DNSChanger cut off the ability to make further changes (at least by anyone but the authors/distributors of DNSChanger - perhaps requiring a password known only to these parties).

Re:Scripted changes (3, Informative)

DeadboltX (751907) | more than 2 years ago | (#40033425)

From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf [fbi.gov]

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Re:Scripted changes (0)

Anonymous Coward | more than 2 years ago | (#40034939)

What web server, my 2001 westell (an old beige model never exposed to sunlight yet faded anyway) doesn't have a web page or a router built-in, I supply my own router (p3 running ipcop) and use custom dns (those 4.2,2,x ones from VZ were slow and started mucking around with some things)

My modem is just a layer-2 ppp to 100Mb ethernet converter (up to 12Mb for the DSL phone line end but ISP only goes to 6 in my area) So i guess there is nothing to worry about.

I wouldn't trust any modem that came from my ISP with a router and would rip it out and use my own our request one without it.

Re:Scripted changes (1)

toygeek (473120) | more than 2 years ago | (#40035603)

I'm not sure I understand the problem...

Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?

No. Most routers do not allow the admin page to be accessed via the wan side, only the lan side.

Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

Or Mac malware. But in general, yes. Most residential routers have pretty weak default passwords are a cinch to get into.

One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.

You're right, that was a dumb assumption. Even over the back-end control channels of whatever sort that ARE used, nothing having to do with the overall configuration can be changed. Most ISP's use such communication to check modem status etc, but not to change DNS info or passwords. That would be security suicide and they aren't quite that dumb.

The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?

And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?

All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.

Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.

See my reply above regarding most of what you said. And see my post above yet about how most providers do send out email, snail mail, popups etc over hijacked DNS.

Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.

Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.

This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.

Um, you're wrong. Getting users to actually a) read email thats important b) pick up the phone and c) even initiate automatic tasks is like getting your 90 year old grandma to change her own oil.

Holy shit, timothy edited something!?!! (0)

Anonymous Coward | more than 2 years ago | (#40032893)

The original title had "loose" instead of "lose" and was much more awkward than the title actually published.

Editors EDITING?! What's next? Dogs and cats living together? Mass hysteria?!?!?!?!?

Re:Holy shit, timothy edited something!?!! (2)

pjt33 (739471) | more than 2 years ago | (#40033297)

He still missed correcting "Internet elder" to "elder of the Internet".

Re:Holy shit, timothy edited something!?!! (1)

Jeng (926980) | more than 2 years ago | (#40033913)

And my first thought was Got Proof?

New computers (1)

jgotts (2785) | more than 2 years ago | (#40033101)

Many of these DSL customers will buy a new computer in July. And then will probably switch to cable. I think a tiny minority will realize that their DSL modem is cooked and be able to convince their ISP of the same.

What the fuck, slashdot (0)

Anonymous Coward | more than 2 years ago | (#40033171)

Why would a DSL modem be querying DNS? I can understand this bullshit on msn.com or something, but slashdot?

Re:What the fuck, slashdot (1)

Anonymous Coward | more than 2 years ago | (#40033667)

Because they probably act as a router and caching DNS server, too?

TR-069 (4, Interesting)

stewwy (687854) | more than 2 years ago | (#40033313)

Some modems implement this , TR-069 (remote config) protocol. At least some of the clueless should have this active, I'm surprised it's not used more widely by ISP's Of course anyone with half a brain will have it disabled,( do you want your ISP to control your router? ) and if you have it disabled at least you know your modem/router HAS a config page but still, it's for exactly this reason it's there.

This is a trivial number (5, Insightful)

Skleed (660612) | more than 2 years ago | (#40033411)

In 2009, there were 32 million DSL modems in the United States. http://www.internetworldstats.com/am/us.htm [internetworldstats.com]

Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.

BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.

Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.

screw them, they are the infected idiots of the n (0)

Anonymous Coward | more than 2 years ago | (#40033549)

screw them, they are the infected idiots of the net

duh (3, Interesting)

IGnatius T Foobar (4328) | more than 2 years ago | (#40033563)

So the malware guys found a bunch of unpatched DSL modems with a vulnerability that allowed the resolver to be reconfigured remotely, and pointed it towards the "bad" DNS servers.

So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?

Re:duh (1)

Anonymous Coward | more than 2 years ago | (#40035353)

1. Who will pay for this to happen?
2. Who takes responsibility if it breaks?
3. Who has legal liability when a customer claims the change caused their children to grow wings and start worshipping the devil and gets a lawyer?

If you are a criminal - 1 to 3 don't matter. If you are a company or organisation they do.

In short - the routers will break, it will be painful for a few months - ISPs will send a bunch of new routers and everyone will stop caring.

Re:duh (1)

toygeek (473120) | more than 2 years ago | (#40035627)

Most routers and modems do not have remote control available over the WAN. Any consumer grade router will have the WAN access turned off by default, you have to be on the local LAN to get to the admin interface. But once you infect a Mac or PC with DNS Changer malware, its trivial to run a script to change the DNS on the router. That's why its smart to change the password on your router. But most people don't even secure their wifi unless that's the default config.

Why does anyone care about this? (0)

Anonymous Coward | more than 2 years ago | (#40033781)

Seriously, cut off the freaking modems already and give them a message that they need to change. I am SO sick of this issue littering SlashDot.

Why would a MODEM need DNS? (1)

Gothmolly (148874) | more than 2 years ago | (#40035427)

Surely the modem is a layer1/layer2 device, and not anything higher? Why does the modem itself need DNS settings?

Re:Why would a MODEM need DNS? (1)

geminidomino (614729) | more than 2 years ago | (#40035689)

I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.

If they're being used as such, for internal DHCP, that might be a problem, I guess...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?