9 replies to this topic

[~BD~]

Quote from: Phishing Activity Trends Report, Q1 2008
http://www.antiphish...ort_Q1_2008.pdf

Definition: Crimeware code which is designed with the intent of
redirecting end-users’ network traffic to a location where it was not
intended to go to. This includes crimeware that changes hosts files
and other DNS-specific information, crimeware browser-helper objects
that redirect users to fraudulent sites, and crimeware that may
install a network level driver or filter to redirect users to
fraudulent locations. All of these must be installed with the
intention of compromising information which could lead to identify
theft or other credentials being taken with criminal intent.

Along with phishing-based keyloggers, we are seeing high increases in
traffic redirectors. In particular, the highest volume is in malicious
code which simply modifies your DNS server settings or your hosts file
to redirect either some specific DNS lookups or all DNS lookups to a
fraudulent DNS server. The fraudulent server replies with “good”
answers for most domains; however, when they want to direct you to a
fraudulent one, they simply modify
their name server responses. This is particularly effective because
the attackers can redirect any of the users requests at any time and
the end-users have very little indication that this is happening as
they could be typing in the address on their own and not following an
email or Instant Messaging lure.

--

So, the question!

HOW can I (and others) check to make sure this is not happening?

TIA

Dave
XP Home SP3 Wireless connection to Netgear router (Broadband via phone line)

[JeanInMontana]

Don't open spam email, don't click on links if you do open them. Don't post your email on the www anywhere, don't forward email with addresses in them. When an email asks you to log onto what ever account, if you even have this account then open a new browser window and log on. Then see if there is indeed any business you need to attend for that account. Rarely is that the case.

[~BD~]

JeanInMontana, on Sep 11 2008, 04:21 PM, said:

Don't open spam email, don't click on links if you do open them. Don't post your email on the www anywhere, don't forward email with addresses in them. When an email asks you to log onto what ever account, if you even have this account then open a new browser window and log on. Then see if there is indeed any business you need to attend for that account. Rarely is that the case.

Good generalistic advice, JeaninMontana. Thank you.

However, it doesn't address the question!

Attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening

There must be some way to tell. Does anyone have any suggestions? TIA

Dave

[~BD~]

~BD~, on Sep 11 2008, 08:59 PM, said:

Good generalistic advice, JeaninMontana. Thank you.

However, it doesn't address the question!

Attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening

If I am in doubt, how can I check that my Hosts file contains nothing untoward?

Spybot puts dozens of 'bad' sites in there and I have no idea which ones should be there!

Any thoughts on this? TIA

Dave

[JeanInMontana]

Anything that's in there from SBS&D should be in there, or if your using a file like hpHosts and any of the others MVPHosts . The purpose of the Hosts file is to avoid bad sites. If SBS&D is adding them leave them. And a redirect is quite obvious. You don't go to the site you intended to go to.

[~BD~]

JeanInMontana, on Sep 20 2008, 10:25 PM, said:

Anything that's in there from SBS&D should be in there, or if your using a file like hpHosts and any of the others MVPHosts . The purpose of the Hosts file is to avoid bad sites. If SBS&D is adding them leave them.

OK - I do understand. I'm not sure, though, if there are any which may have been added from elsewhere! I have no idea how to check. I suppose I could delete all entries and then let Spybot reload it.

Quote

And a redirect is quite obvious. You don't go to the site you intended to go to.

Now this is, maybe, where I have mis-understood.

From the way you 'say' that Jean it seems that you think the redirection will always be obvious. Silly example, you type in www.google.com and the page opens at the Yahoo web site.

My interpretation is that the page one finds oneself looking at looks exactly as you might expect it to - but it's not the Real McCoy! It is a forgery which might tempt you to download what you think is a bonio-fido programme/facility but which may well have been 'doctored'!

Have I got hold of the wrong end of the stick?

Dave

[JeanInMontana]

What your describing is a phished site and you don't type in anything. They are links in emails. Easy to avoid. Don't click on them. If you have any reason to go to the site at all then open a new window on the browser and go there. Don't use the link in the spam email. Don't open the spam email. Do some Googling and read up on this stuff Dave. Your just as capable of learning it on your own and it's likely to make more sense and stick with you if you actually do the looking. Google, Phish and start reading.

[~BD~]

JeanInMontana, on Sep 21 2008, 02:25 AM, said:

What your describing is a phished site and you don't type in anything. They are links in emails. Easy to avoid. Don't click on them. If you have any reason to go to the site at all then open a new window on the browser and go there. Don't use the link in the spam email. Don't open the spam email. Do some Googling and read up on this stuff Dave. Your just as capable of learning it on your own and it's likely to make more sense and stick with you if you actually do the looking. Google, Phish and start reading.

With the greatest of respect, Jean ............

Please reconsider the first post in this thread where I quoted:-

"Along with phishing-based keyloggers, we are seeing high increases in
traffic redirectors. In particular, the highest volume is in malicious
code which simply modifies your DNS server settings or your hosts file
to redirect either some specific DNS lookups or all DNS lookups to a
fraudulent DNS server. The fraudulent server replies with “good”
answers for most domains; however, when they want to direct you to a
fraudulent one, they simply modify
their name server responses. This is particularly effective because
the attackers can redirect any of the users requests at any time and
the end-users have very little indication that this is happening as
they could be typing in the address on their own and not following an
email or Instant Messaging lure".

HTH

Dave

[JeanInMontana]

My mistake.

[ctrlaltdelete]

I'm using a firewall with DNS checker, it checks the DNS response i get from my ISP's DNS or whatever DNS is configured (by malware?) on my system with the response from a trusted 3rd party DNS.
If they are not the same i get a pop-up which warns me about the different results before a connection is made.

Otherwise it will be very difficult to tell if you are visiting the "good" site, guess you need to trace the domains every time and check the results...?