Monday, April 13, 2009

Your phone could become a problem for someone else.


Last Friday I was getting this weird problem, with the random rogue DNS entries on random client workstations in my domain. The DNS entries were 69.42.88.21 and 69.42.88.22. I couldn't find any public records or run a whois or anything. Yet, I googled the above IP addresses and found two email strings, both posted 4/7/09, noting the same IP addresses. Other networks were having similar issues: bogus web browsing, problems with internal name resolution, etc. My gut told me this was a worm, and that it was related to Confiker because of web browsing problems! Fortunately, my gut was wrong.

I am running Symanted Endpoint Protection on my network; the definitions were current, and full client scans (on obviously infected machines) picked up nothing. Turns out, I had a rogue DHCP server intrusion, which means that I probably had very few "infected" machines. A rogue DHCP server is basically a device that gets infected with malware, then enters another network and falsely answers requests for IPs. We observed several symptoms of this but the most notable symptom was that numerous other clients received bad DNS info: sometimes they had browser problems, some had fake "ipconfig /all" DNS server entries, and some even had fake DNS entries entered directly into their network TCP/IP properties. This sort of malware apparently can enter a network on a laptop or mobile device (like a visitor's laptop or Blackberry or--god forbid!--an iPhone), which was probably our culprit. We have proactive antivirus scanning on all our machines, but we weren't actively scanning network traffic for packets that may contain bad DNS info.

Our solution, thus far, is to install a portion of Symantec's Endpoint software called Intrusion Detection. It runs on all client machines, notifying the client and/or admin when network settings are suspiciously changed.

Another couple thoughts are contained here:
http://ossie-group.org/blog/?m=200903

As far as finding the viral culprit, that proved more difficult. Despite a slew of messed-up machines, I only found one instance of malware, and deleted it manually. The rest of the machines healed themselves eventually after many dns flushes.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=3

For the moment, I'm glad to have resolved this issue, which--surprisingly--hasn't hit more networks yet. However, I'm still a little dissatisfied with my network security (and I probably always will be!) because i'm not sure *exactly* what Symantec's Intrusion Prevention software is doing. I'm also not totally sure what people mean when they encourage "monitoring DNS traffic" (see the first link I posted). I'd much prefer a way to effectively lock down the DNS info all my clients, somehow ensuring that it can't be changed unless it comes from my DHCP server, but that is a little above my head.

2 comments:

ochre said...

hey, i'm a network tech looking after a pretty big network and i've had the same problem. i found your blog just now while trying to see what's up with these dns servers. i'm 99% sure this is being caused by the flush.m trojan which i read about in this ars technica article:
http://arstechnica.com/security/news/2009/03/new-version-of-dns-server-trojan-flushm-spotted-in-the-pipe.ars ...we were having this same problem but caused by the dns servers mentioned in the article up until this past friday. then it changed over to the 69 addresses. hope that helps you out. i don't have a good solution unfortunately.

Jill said...

so my first thought when i found your blog via jana's was, "hey, why have i not been reading bryan's blog?" ... and then i read the first two sentences of this post. "oh... that's why!"