DNSchanger 2014

Alfons Tanujaya

DNSchanger 2007

• Aktif 2007 - 2011Infeksi lebih dari 4 juta komputer

PC dan MacOnline adv, spam, scamKeuntungan 140

milyar8 Maret 2012, server bring down, kiamat

kecil internet ?

DNSchanger 1

DNSChanger 2014

What is this ?

• Antivirus merek apapun tidak bisa mengatasi

malware ini.Tidak hanya berdampak pada Windows

tetapi pada Linux, Mac dan Android

phone.Sekalipun komputer di format, akan

kembali lagi terjadi.Sea-surf =

CSRF

CSRF Cross Site Request Forgery

A type of malicious exploit of a website whereby

unauthorized commands are transmitted from a user

that the website trusts. Unlike cross-site scripting

(XSS), which exploits the trust a user has for a

particular site, CSRF exploits the trust that a site has

in a user's browser.Attack is blind. Not good for

credential stealing.But ordinary weapon in a smart

criminal can be deadly.

get

Login

form

Session Cookie

UN

PS

Post Cookie

get

Auto submit form

Post Cookie

DNSChanger 2014

Changing DNS of vulnerable routers.Log all traffic →

proxy, credential leak.Lead to install malware.Lead

to forgery website, can lead to leak of

credential.Improper advertisement, porn, malware

etc.How many victims ? 300.000 routers x 5 users =

1,5 million computers.

How it happen

http://192.168.1.1/userRpm/LanDhcpServerRpm.htm

?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199

&Lease=120&gateway=0.0.0.0&domain=&dnsserver=1

62.248.99.162&dnsserver2=199.85.127.10&Save=%B1%

A3+%B4%E6

List of vulnerable routers

TP LinkD-LinkMicronetTenda

Solution

Sea Surf

SEA MONKEY

SOLUSI

Upgrade firmware ← Tidak selalu sukses→ OpenWRT

(WiT ?)Solusi, set dns di client dgn DNS isp / google,

local DNS overpower router, kecuali dipaksa routerT-

FA Challenge tokenTidak gunakan web based

administrationGunakan httpsGunakan browser

berbeda khusus untuk administrasi router

berbeda dengan browsing

Resource

http://cxsecurity.com/issue/WLB-2012100027