I am getting a mmessage from google that my system maybe infected with DNSchanger malware. Is there any upport for removing this threat? my attempts at finding antispyware for linux have been futile.
Travis
I am getting a mmessage from google that my system maybe infected with DNSchanger malware. Is there any upport for removing this threat? my attempts at finding antispyware for linux have been futile.
Travis
I doubt that the virus works on linux BUT:
if you use a router and you did not secure your username / password, maybe it reconfigured your router to use their DNS’s
same thing as above applies for your machine…
maybe your ISP got root-ed? Check the nameservers they provide.
Reading about it check what are the namservers you use and compare with their blocks: Checking for DNS Changer on Windows XP | DCWG
Cheers.
On 06/02/2012 07:46 AM, travisg96 wrote:
> DNSchanger malware
what version of openSUSE are you using?
are you directly connected to the net, or via a public/free or shared wifi?
are you connected to the net though a proxy? one controlled by someone
else (like in an office, on campus, in a dorm, etc)
are you seeing that google warning only when booted to Windows?
only when using some wifi and not others?
are you running Linux inside a VM running in Windows?
copy/paste this into a terminal and then copy/paste the output of
grep -v '^#' /etc/resolv.conf
and compare the IPs you see in that output to the list of rogue servers
listed in this document:
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
note, i believe it highly unlikely the problem is inside your Linux
system…please let us know what you find…i guess your wifi provider
or ISP is running Windows “servers”…
–
dd
It might be your linux machine that is infected. Read this carefully :
Google warns DNSChanger victims - The H Security: News and Features
Here are the instructions for “disinfecting” :
DNSChanger-Check - dnschanger.eu
On 06/02/2012 09:46 AM, glistwan wrote:
> It might be your linux machine that is infected.
how might that have happen?
as far as i can see the IPs of rogue DNS would have to be entered into
/etc/resolv.conf…an operation which can only be done with root
powers…so, are you saying that the OP has been browsing the net as root?
if so, s/he may be both a “DNSChanger victim” and rooted (and imho
deserves to be both)…
if browsing as root was done, and resulted in the machine being
DNSChanger “infected” then the simple repair instructions provided from
the link give will be insufficient since they rely on using Windows AV
products which are worthless on openSUSE…instead i would suggest the
only rational remedy would be to:
backup all data which is wished to be retained (do NOT backup any
config files, including those in /home)
full format and new install, from a known good (tested) 11.4 or 12.1
install disk
restore data from backup
do not log into the desktop as root (and run no browser with root
powers)!
–
dd
No. You don’t need to browse as root to get this infection. Out of date java plugin is perfectly sufficient. I don’t know how it’s done exactly but I guess that in similar fashion to this exploit.
About the security content of Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7
It’s a cross platform thing and I guess almost nobody running OS X runs the browser there with root powers.
On 06/03/2012 12:26 PM, glistwan wrote:
> No. You don’t need to browse as root to get this infection.
no, that page says: “Visiting a web page containing a maliciously
crafted untrusted Java applet may lead to arbitrary code execution with
the privileges of the current user.”
so, to be ‘infected’ to the point that resolv.conf is changed to the
“DNS Changer” rogue server’s IPs requires that the “current user” be
root… (ie, browsing as root)
see how that works?
so, my advice stands: if s/he browsed as root, s/he has a suspected
breached system and . . .
–
dd
Hmm so I wonder how come more than 500K OS X were infected ?
Flashback Mac Trojan Hits More than 500K Machines | threatpost
So many people run their browsers with root power on OS X ? I honestly doubt that. It’s a different exploit than mac changer but still it looks as though this can do a lot more damage than running something with current user power.
On 06/03/2012 08:06 PM, glistwan wrote:
> Hmm so I wonder how come more than 500K OS X were infected ?
half a million OSX machines were NOT “infected” by DNS Changer (which is
the subject of THIS thread)…and, the subject of this thread REQUIRES
changing of a file which can ONLY be done by root!
> ‘Flashback Mac Trojan Hits More than 500K Machines | threatpost’
> (http://tinyurl.com/6rrl27k)
a trojan which does NOT require root powers to change a root owned
configuration file to direct the Mac to a bogus DNS Server…instead
it uses the Mac as a botnet member with only USER (non-root) powers of
(for example) sending spam…
another way to say that: you do NOT have to browse as root with your Mac
in order to acquire that trojan…
> So many people run their browsers with root power on OS X ? I honestly
> doubt that.
if all did, or none ever did it has absolutely zero bearing on THIS
thread, because THIS thread’s focus uses an entirely different attack
vector than the Flashback Mac Trojan…
> It’s a different exploit than mac changer but still it looks
> as though this can do a lot more damage than running something with
> current user power.
a lot of damage to users of OSX…NOT openSUSE or Linux, yet.
let me say this: do not browse with Linux as root ever…especially
don’t start doing that just because the Mac folks browsing as a user
have a problem (a problem which is NOT reported for Linux)
understand?
–
dd
Heh, I see the spirits got quite hot…
And this I guess because the OP’s problem with the DNSChanger virus warning is not cleared by the people / av vendors that detected this threat - ignorance is bliss for the windows users…
Indeed, since we have no real info about this threat except “it changes the nameservers”, it’s logical to assume that the DNS change on the machine could have taken place if the user got rooted or like dd said.
If the OP uses a router which serves DHCP to connect to the internet, maybe the the change was done there. like I suggested in the first post, so he shoulod check if the router got rooted.
So I guess we have to wait for input from the OP to see what happened.
Ohh, could it be a false positive even from google?
Cheers and chill out.
On 06/04/2012 09:46 AM, ghostintheruins wrote:
> Cheers and chill out.
i’m not unchilled…just tried to emphasis some important facts that
seemed to missed, over and over and over…
on the other hand, your corrupted router input is certainly a possible
candidate for attention…while resolv.conf being rewritten by a sneaky
‘infection’ with only user permissions is not.
–
dd
Yep I do but I never said to run your browser as root. On the other hand it seems to me you miss my point completely, which is linux is not as secure as it used to be and as some people think it is.
Also keep in mind that for example NetworkManager can change the resolv.conf and the applet is run by a regular user.
Peace
On 2012-06-04 09:46, ghostintheruins wrote:
> Indeed, since we have no real info about this threat except “it changes
> the nameservers”, it’s logical to assume that the DNS change on the
> machine could have taken place if the user got rooted or like dd said.
The DNSchanger virus is a Windows virus. There is also a MAC trojan.
“and attempt to hack into any detected router to change the DNS”
The dnschanger.eu basically checks to see if your IP is in the databases of
the servers they control; if you are on dynamic IP, the IP could belong
earlier to a windows user.
Also another machine on the same router might use Windows and was attacked.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 06/04/2012 01:36 PM, glistwan wrote:
> On the other
> hand it seems to me you miss my point completely, which is linux is not
> as secure as it used to be and as some people think it is.
yes, Linux is as secure as ever…actually it is more secure today than
it was ten years ago, but the security of any machine is the
responsibility of that machines administrator…and, i grant you that
many machines today are administrated by people without a good
understanding of how to make and keep their machine secure…
so, there are probably more consumer machines on the net today with poor
security–but, that is NOT caused by either a frailty in Linux itself
or the continued proliferation of Window’s malware or Apple’s slowness
in plugging holes in it’s implementation of java…
> Also keep in mind that for example NetworkManager can change the
> resolv.conf and the applet is run by a regular user.
i can’t figure out how to change name servers in Network Manager as a
user, so perhaps you could instruct me on that.
> Peace
–
Peace is my profession,
dd
Totally agree with you here.
> Also keep in mind that for example NetworkManager can change the
> resolv.conf and the applet is run by a regular user.
i can’t figure out how to change name servers in Network Manager as a
user, so perhaps you could instruct me on that.
For example you can create different profiles with static entries or with ip address assigned with DHCP and static DNS entries.
Once you have a few profiles just switch between them and your resolv.conf will change as well.
On 06/05/2012 02:36 PM, glistwan wrote:
> For example you can create different profiles with static entries or
> with ip address assigned with DHCP and static DNS entries.
> Once you have a few profiles just switch between them and your
> resolv.conf will change as well.
hmmmmm…you are way ahead of me…i look can’t see how to create
“profiles”
so lets start with:
you launch Network Manager (how?) and switch to “Manage Connections” or
“Create Network Connections” or “New Wired Connections”…
wait! since
linux-os114:/etc # ls -hal resolv*
-rw-r--r-- 1 root root 950 May 24 21:23 resolv.conf
then, if you as a user can change your resolv.conf using Network Manager
(with only user permissions) then i’d say that is a BUG which should be
squashed…
and, since you claim you can duplicate that ability (and i can’t) then
i’d suggest you visit: http://tinyurl.com/nzhq7j and log the security
bug you have discovered…the community will be very apprecative of you
for closing that glaring security hole!
please, after you have initiated the bug return here with its bug number
as i wish to follow the progress of fix…
–
dd
I don’t thing it’s a bug because actually you need root rights to create the profile and later on I think polikit or DBUS to change the file.
On 2012-06-05 15:19, dd@home.dk wrote:
> then, if you as a user can change your resolv.conf using Network Manager
> (with only user permissions) then i’d say that is a BUG which should be
> squashed…
No, no, network manager is designed to do such things as user. It gets
powers via policykit or whatever 12.1 uses.
I recogn I’m not familiar with that application, but as far as I recall it
can configure the network for a user without requesting the root password -
and if it does, they will change that, there are talks about that currently.
If not, if you use dhcp the dns is automatically changed from the router,
and this virus is known to attack some routers.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)