DNS Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 03 Jul 2024 22:25:12 +0000 en-US hourly 1 https://wordpress.org/?v=80930 200474804 DNS Spoofing vs DNS Hijacking https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/ https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/#respond Wed, 03 Jul 2024 14:09:09 +0000 https://gridinsoft.com/blogs/?p=9848 Domain Name Services (DNS) play a crucial role in our IP networks. DNS servers map website names to their corresponding IP addresses. By altering information on a DNS server, you can redirect users to different IP addresses, potentially leading them astray from their intended destinations. One method to achieve this redirection is by modifying files… Continue reading DNS Spoofing vs DNS Hijacking

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

]]>
Domain Name Services (DNS) play a crucial role in our IP networks. DNS servers map website names to their corresponding IP addresses. By altering information on a DNS server, you can redirect users to different IP addresses, potentially leading them astray from their intended destinations. One method to achieve this redirection is by modifying files on computers, such as the HOSTS file. This change forces the computer to connect to the IP address specified in the file, bypassing the DNS server query.

Directing someone to a specific IP address becomes simpler when altering the HOSTS file on their machine. However, modifying this file across numerous devices is a challenging task. Consequently, attackers often target the DNS server itself, making a single change that updates the responses for all querying clients. While various methods exist to manipulate DNS servers, most involve gaining control over the server.

What Is DNS and How Do DNS Servers Function?

Let’s revisit what DNS means. The Domain Name System is a foundational internet service that facilitates the conversion of human-readable domain names into machine-understandable IP addresses. Here are some essential components related to DNS:

  • IP Address (Internet Protocol): A unique string of numbers assigned to each computer and server on a network, allowing them to locate and communicate with each other.
  • Domain: A memorable text name, like “www.google.com,” that corresponds to the IP address of a server, simplifying the process of connecting to websites.
  • Domain Name System (DNS): This system translates domain names into IP addresses.
  • DNS Servers: These include four types of servers crucial to the DNS lookup process: resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, let’s discuss the resolver name server.
  • Resolver Name Server: Operating within your system, this server begins the translation process by querying other servers to find the IP address associated with a domain name.
What is DNS and how does it work?
What is DNS and how does it work?

The DNS Lookup Process

When you enter a website’s domain name, the following process unfolds:

  1. Your web browser and operating system (OS) first attempt to retrieve the domain’s IP address from the computer’s internal memory or cache, if previously visited.
  2. If the cache doesn’t contain the IP address, the OS reaches out to a resolver name server.
  3. This resolver then searches through a chain of servers to locate and return the correct IP address to your OS, which relays it to your web browser.

The DNS lookup process is a critical infrastructure component across the internet. However, vulnerabilities in DNS can expose users to security risks, such as malicious redirects, underscoring the importance of awareness and preventive measures.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, is a broad term that describes any attack where a perpetrator manipulates an end user’s device into connecting with a fraudulent domain or IP address, under the guise of a legitimate domain. This type of attack can deceive users into thinking they are interacting with a legitimate site when they are not.

There are numerous methods of DNS hijacking, and not all are unlawful. A common legal example is seen with pay-per-use WiFi portals. These services intercept DNS requests before the user has paid for access. Regardless of the user’s settings, all requests direct to a payment server page where the user can purchase WiFi access.

Another prevalent method involves altering the DNS settings on a client’s device. An attacker may change the settings so that the device uses a DNS server under their control instead of a legitimate service like 8.8.8.8. When a user attempts to access a secure site such as their online banking website, the rogue DNS server may redirect them to a fake website. This site acts as a proxy to capture all transmitted data. This technique was famously used by the DNSChanger trojan/malware, which, while now rare, was once a significant threat.

Other hijacking tactics include exploiting vulnerabilities within DNS server software, manipulating DNS registration systems, or utilizing visually deceptive domain names (homograph attacks). One early example of phishing employed a domain named paypaI.com where the letter ‘I’ was capitalized to mimic a lowercase ‘L’, misleading users into thinking it was the legitimate PayPal.com. With DNS now supporting international characters, these attacks have become even more sophisticated and harder to detect.

What is DNS Spoofing

What Is DNS Spoofing?
What Is DNS Spoofing?

DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.

Difference Between DNS Spoofing and DNS Hijacking

Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.

DNS Spoofing vs DNS Hijacking

Conclusion

As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dns-spoofing-vs-dns-hijacking/feed/ 0 9848
DNS Cache Poisoning https://gridinsoft.com/blogs/dns-cache-poisoning/ https://gridinsoft.com/blogs/dns-cache-poisoning/#respond Sat, 08 Jun 2024 13:07:20 +0000 https://gridinsoft.com/blogs/?p=8813 DNS Cache Poisoning is a pretty old attack type in which a malicious actor redirects a victim’s traffic to a harmful site instead of a legitimate IP address. It is done by replacing cached IP addresses on the DNS server. Attackers also use the method of “poisoning” the DNS cache to steal credentials or sensitive… Continue reading DNS Cache Poisoning

The post DNS Cache Poisoning appeared first on Gridinsoft Blog.

]]>
DNS Cache Poisoning is a pretty old attack type in which a malicious actor redirects a victim’s traffic to a harmful site instead of a legitimate IP address. It is done by replacing cached IP addresses on the DNS server. Attackers also use the method of “poisoning” the DNS cache to steal credentials or sensitive information. But how dangerous is it? And how can we protect against such attacks? Let’s find out.

DNS Cache Poisoning Overview

DNS cache poisoning is a type of attack where hackers impersonate another device, client, or user. To do this, hackers alter the cached IP addresses stored locally on the device. As a result, when a user tries to visit a website, they end up on a fake site that the modified DNS cache returns, instead of the legitimate one they intended to reach. This trick is hard to notice on the final stage, as fake sites are typically designed to look like the real ones. The result of a successful cache poisoning is similar to a “man-in-the-middle” attack: it allows an attacker to intercept data that goes from the user machine to a website.

By poisoning a DNS server, attackers can redirect all your traffic to their own servers. For instance, if you type “amazon.com,” a poisoned DNS server can redirect you to a fake version of Amazon. Attackers can poison the DNS cache by filling it with false data. They do this by making a request to the DNS resolver and then spoofing the response when the resolver queries the name server. When the DNS resolver receives a fake response it accepts and caches the data. This is because cached info is considered trustworthy, and it is hard to prove this wrong without additional actions. The reason hides in the very idea of DNS as a system: it appeared back in the days when no one thought of such an attack vector.

What is a DNS Server?
What is a DNS Server?

DNS Cache Poisoning Mechanism

Since IP addresses don’t change often (if at all), a computer saves the association between an IP address and a URL. For example, www.gridinsoft.com will get the association to the IP address 104.26.15.79. If an attacker can get the targeted system to receive falsified information from DNS, the client will send data to a fake IP address. In the best-case scenario, this results in a denial of service. In the worst case, the attacker can intercept traffic, leading to severe consequences.

A successful attack expectedly makes the user think they are visiting a legit site. Therefore, the user doubtlessly enters confidential account information, which immediately goes to the attacker. A “successful” attack means the user doesn’t notice the deception and calmly enters their login and password. This hands over their credentials to the attacker.

As a result of such an attack, an attacker can redirect a user to fake or malicious websites, leading to malware deployment. For example, a fake online banking site might prompt the user to update an application. Instead of the legitimate application, the user receives a malicious file. Additionally, a compromised website can initiate malware downloading.

On the other hand, attackers can also disrupt legitimate software updates by poisoning the DNS cache. For example, an attacker could block updates to antivirus software signature databases. Besides DNS cache poisoning, there is also the direct hacking of DNS servers, which I covered in a separate article.

DNS Cache Poisoning Application

Reading through technical details of the cache poisoning makes it clear that using such a complicated technique is not about massive attacks. The majority of DNS cache poisoning attacks happen in targeted cyberattacks, particularly on corporations. Since the attack supposes localized changes, it may be harder to detect proactively, especially without special software.

By altering DNS cache on a selection of corporate workstations, hackers can gather login credentials to pretty much any web resource. The ability to select which site is spoofed in a poisoning attack once again makes it harder to detect, and also prevents login data from other sites from flooding the resulting log. In the hands of a skilled adversary, DNS cache poisoning may be an outstandingly effective and dangerous tool.

DNS Cache Poisoning and Censorship

Some governments have intentionally poisoned DNS caches in their countries to block access to certain websites or web resources. For example, the Great Firewall of China uses DNS filtering and fake responses for geoblocking, censorship, and restricting access to specific websites. Additionally, some internet service providers (ISPs) use DNS interception to display advertisements or block access to illegal websites.

Malware in Cache Poisoning Attacks

Technical execution aside, there is one question remaining: how can cybercriminals do this? Getting to the system files, and DNS cache in particular, requires accessing the environment remotely. There are several malware types that can provide such access, namely backdoors and remote access trojans. Following their injection into the network, hackers can control pretty much any element of the system, both through commands and direct access.

As DNS cache poisoning attacks are pretty rare and require thorough planning and targeting, the corresponding actions are often embedded into the malware sample. In addition to this, malware may be able to undo these changes, to cover the tracks after the successful attack.

Preventing DNS Poisoning Attacks

The best way to prevent DNS resolver cache poisoning is to implement secure cryptographic and authentication methods. Replacing DNS globally with DNSSEC (Domain Name System Security Extensions) would address this issue, as DNSSEC creates a unique cryptographic signature stored with the DNS records. This signature is then used by the DNS resolver to verify the authenticity of the response and record. Additionally, this scheme helps establish a trusted chain from the top-level domain (TLD) to the authoritative domain zone, ensuring the security of DNS name resolution.

The post DNS Cache Poisoning appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dns-cache-poisoning/feed/ 0 8813
Decoy Dog Malware Uncovered: Next-Gen Spyware https://gridinsoft.com/blogs/decoy-dog-spyware-rat/ https://gridinsoft.com/blogs/decoy-dog-spyware-rat/#respond Fri, 28 Jul 2023 07:41:57 +0000 https://gridinsoft.com/blogs/?p=16350 A group of hackers, presumably state-sponsored, is actively developing and beginning to use a sophisticated Decoy Dog toolkit. It has likely been used for over a year in cyber intelligence operations. It utilizes the Domain Name System (DNS) to manage and control a narrowly focused and minimal number of active clients. What is Decoy Dog… Continue reading Decoy Dog Malware Uncovered: Next-Gen Spyware

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

]]>
A group of hackers, presumably state-sponsored, is actively developing and beginning to use a sophisticated Decoy Dog toolkit. It has likely been used for over a year in cyber intelligence operations. It utilizes the Domain Name System (DNS) to manage and control a narrowly focused and minimal number of active clients.

What is Decoy Dog Malware?

In April, Researchers discovered Decoy Dog, a remote access trojan (RAT) toolkit that uses DNS domains that act as command and control (C2) servers for the malware. It caused abnormal DNS signatures in enterprise networks across various regions, and some communications are being sent to a controller in Russia. Then researchers discovered DNS query patterns in enterprise networks that were not linked to consumer devices. They confirmed that the queries came from network appliances in only a few customer networks. Despite researchers announcement and technical analysis of this malware similarity to the Pupy open-source RAT, the toolkit’s operators continued their activity. At that time, had the following domains, which experts recommended organizations to block:

  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc

However, new research reveals that Decoy Dog significantly improves from Pupy, utilizing new domains, unique commands, and configurations that are not publicly available. Pupy is an open-source post-penetration remote access toolkit that emerged in 2015. Its primary purpose was serving a role of RAT in penetration testing simulations. The configs I mentioned as unavailable were hidden until 2019, and are related to the way malware resolves the C2 DNS. But even having the code, it was needed to perform a thorough name server setup for each malware run – which is a complicated task worthy of network engineers.

How Decoy Dog works scheme
How Decoy Dog works

Decoy Dog Is a Better Pupy RAT

Researchers have been investigating the differences between Decoy Dog and Pupy since April. They set up their own C2 server for Pupy to analyze its DNS communication protocol. Thus, they could create DNS signatures to detect new controllers of this malware. Pupy and Decoy Dog both use nonces to identify sessions with clients and establish the ordering of messages. However, the subject uses the same query structure as Pupy. So, researchers decoded nonce values and correlated queries to the same compromised device.

Moreover, researchers could track each controller’s activity, including the sessions’ length and number of active clients. Unfortunately, encryption prevented researchers from seeing the specific data communicated, but they identified the types of messages sent and profiled the overall communication behavior of both clients. Decoy Dog responds to replays, while Pupy does not and has a richer set of commands and responses. The malware also exhibits more variance in message payload length than Pupy.

From this, researchers confirmed that Decoy Dog is a major refactor of Pupy with advanced capabilities that have changed over time. It includes a domain generation algorithm and the ability for clients to execute arbitrary Java code. These features indicate sophistication and intentionality beyond many threat actors. Security vendor detectors still identify Decoy Dog as Pupy, possibly Since reverse engineers assumed the binary samples were identical.

Today’s activity

Decoy Dog’s creators quickly adjusted their system in response to its initial disclosure. Malware has expanded its reach, with at least three different actors now using it. Thus, they ensured uninterrupted operations and still access to previously compromised devices. Though based on the open-source RAT Pupy, researchers have identified Decoy Dog as a new and previously unknown form of malware with advanced features that allow it to persist on compromised machines. Today research shows how Decoy Dog significantly improved over Pupy. The former utilizes unique commands and configurations that are not publicly available. TAs use it in ongoing nation-state cyber-attacks through DNS to establish Command and Control.

Decoy Dog activity
Decoy Dog controller domains activity after the release of Infoblox’s papers

While much about Decoy Dog remains unclear, specialists determined that the malware can only be detected through DNS threat detection algorithms. At least three threat actors have been identified using this malware based on the open-source remote access trojan called Pupy. However, significant changes to the code suggest the involvement of a sophisticated black hat. The security firm stated that the subject can respond to complex DNS requests that do not follow the typical communication structure. In addition, they specified that Pupy, which is associated with Decoy Dog, is a cover-up for the actual abilities of the program.

Threat Actors Use Decoy Dog for Precise Hacking

Based on the analysis of passive DNS traffic, analysts have difficulty determining the exact number of Data Dog targets and affected devices. However, the lowest and highest number of active concurrent connections detected by investigators on any one controller were 4 and 50, respectively. In addition, the number of compromised devices is less than a few hundred. This indicates a minimal target list, typical of a reconnaissance operation. In any case, experts suggest that well-secured and sophisticated attackers are using the malware.

The attackers are likely targeting specific organizations with high information value. As mentioned above, there is a possibility that the victims are located in Russia. However, experts do not rule out that the attackers directed the victims’ traffic through this region as bait or to limit requests to relevant ones. Since it is quite difficult to change this system in modern networks, Decoy Dog behaves similarly to Pupy and uses the default recursive resolver to connect to DNS.

Safety recommendations

Security measures against Decoy Dog are generally similar to basic cyber security recommendations. However, there are key points to consider first. Here are some safety recommendations against this malware:

  • Keep your software up to date. Auto-update should be enabled by default because it includes security patches that can help to protect your devices from malware.
  • Use a firewall and antivirus software. A firewall can help to block unauthorized traffic from reaching your devices, and antivirus software can help to detect and remove malware.
  • Be careful on the web. Look at what websites you visit and what links you click on. Decoy Dog can be spread through malicious websites and links.
  • Use strong passwords and change them regularly. While this is a general recommendation, it is essential because strong passwords can protect your accounts from unauthorized access.
  • Be aware of the signs of malware infection. Some symptoms include the computer running slowly, pop-ups and new programs appearing that you didn’t initiate, your browser settings changing, and files disappearing.

If you think your computer may be infected with Decoy Dog, contact your IT security team immediately. They will be able to help you to remove the malware and protect your organization from further attacks.

Web safety tips

Here are some additional tips to help you stay safe while web surfing:

  • Use VPN when connecting to public Wi-Fi. This will help to protect your traffic from being intercepted by malicious actors.
  • Be careful about what information you share online. Don’t share your personal information, such as your Social Security or credit card number, with websites or individuals you don’t trust.
  • Please educate yourself about malware and how to protect yourself from it. Forewarned is forearmed. There is a lot of helpful, valuable information in the public domain today to help you keep up to date with the latest developments in cybersecurity.

By following these tips, you can help to protect yourself from Decoy Dog and other malware.

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/decoy-dog-spyware-rat/feed/ 0 16350
Static And Dynamic Ip Address: Brief Comparison https://gridinsoft.com/blogs/static-and-dynamic-ip/ https://gridinsoft.com/blogs/static-and-dynamic-ip/#respond Thu, 23 Jun 2022 13:39:13 +0000 https://gridinsoft.com/blogs/?p=8818 The Internet is built on IP addresses. They are divided into dynamic and static. Today we will look at the features of static and dynamic IP addresses and find out which type of IP address is more suitable for which tasks. What is an IP address? An IP address is a unique number that is… Continue reading Static And Dynamic Ip Address: Brief Comparison

The post Static And Dynamic Ip Address: Brief Comparison appeared first on Gridinsoft Blog.

]]>
The Internet is built on IP addresses. They are divided into dynamic and static. Today we will look at the features of static and dynamic IP addresses and find out which type of IP address is more suitable for which tasks.

What is an IP address?

An IP address is a unique number that is assigned to each device on a TCP/IP network. Similar to a physical home address, an IP address lets people know where to send your email. IP addresses identify computers and devices and allow them to communicate.

Each IP address is made up of numbers. Just as we use the domain names, we are accustomed to, and computers use addresses they understand. The Domain Name System (DNS) is used to make it all work in harmony. It’s a sort of phone book, so you can use facebook.com to navigate the web, and the DNS will map that address to the address your computer can understand, 157.240.22.35, and direct you to the website you want. These days, many electronic devices in your home can have an IP address. These devices can be anything that connects to the network: computers, TV, a smart speaker, or a robot vacuum cleaner.

Related Content: How To Hide IP Address in Few Steps

There are only two versions of IP addresses: IPv4 and IPv6. IPv4 has four hexadecimal numbers separated by dots, such as 192.168.0.1, and IPv6 has six hexadecimal numbers separated by colons, such as fd04:2ca1:ab5e:65c8:4e19:382c:12ef:ad68. There are 4.3 billion IPv4 addresses worldwide, and the problem is that today that number is not enough to provide all devices with addresses. But in contrast to IPv4, there are many more IPv6 addresses. Their number is 79,228,162,514,264,337,593,543,950,336 addresses. This number should be enough for decades to come. And so, let’s still discuss and consider static IP and dynamic IP, what are the differences or similarities?

What is a Static IP Address Meaning?

A static IP meaning is permanent; it does not change. When your device is assigned a static IP address, it usually remains until your network architecture changes. They are often used by servers or other essential equipment. These addresses are assigned by Internet Service Providers (ISPs). Depending on your data plan or service agreement, your ISP may assign or may not assign you a static IP address. It also increases the cost of your contract with your ISP. A static IP address can be either IPv4 or IPv6. But at the moment, most static addresses use the IPv4 version.

READ AlSO
Release and Renew IP Address (2022 Tutorial). Releasing/Renewing an IP address is an operation that will help you solve various connection problems.

What is a Dynamic IP address?

A dynamic IP address meaning is the opposite of the previous point. It changes periodically. Dynamic addresses are assigned by Dynamic Host Configuration Protocol (DHCP) servers. Since IPv4 does not provide a sufficient number of static IP addresses, it was decided to use dynamic addresses. Thus, all devices connected to the wifi in a hotel, for example, will have dynamic IP addresses. However, the hotel’s primary router will have a static IP address.

Likewise, your home or office on the Internet may be assigned a dynamic IP address by the DHCP server of your Internet provider. In your home or corporate network, in turn, your router will assign a dynamic IP address to your devices – whether they are computers, smartphones, or media streaming devices, tablets, etc. Dynamic IP is a standard used by consumer equipment.

Static or Dynamic: What is better?

It is impossible to say which IP address option will be ideal for everyone and on all occasions. For some tasks, a static IP address is best, and sometimes a dynamic IP address works best. It also depends on your specific needs. For example, a static IP address is more suitable for business, and a dynamic IP address for a home network.

👉 Advantages of a Static IP

Here are the main advantages of using a static IP address:

  • Improved DNS support. Static IP addresses are much easy to set up and manage with DNS servers.
  • Convenient remote access. A static IP address makes it easy to work remotely using a virtual private network (VPN) or other remote access programs.
  • Server hosting. When hosting a web server, email server, or any other type of server, having a static IP address makes it simpler for customers to find you through DNS. This means customers can access your websites and services faster if they have a static IP address.
  • More reliable communication. Static IP addresses make it better to use Voice over Internet Protocol (VoIP) for teleconferencing or other voice and video communications.
  • More accurate geolocation services. With a static IP address, services can map an IP address to its physical location. For example, use a local weather service with a static IP address. You will get a weather report for your region.

👉 Disadvantages of a Static IP

Virtual private networks (VPN) can help solve this problem by hiding your physical location. In addition to the advantages, a static IP address has some disadvantages:

  • Easier to hack. Knowing your static IP address, hackers can find out where your server is on the Internet. This makes it easier for them to attack.
  • Higher cost. A static IP address is an optional service in consumer ISP plans. ISP business plans often include a static IP address, at least as an option, but they are just as expensive as end-user plans.
  • Real-world security issues. With the right networking tools, anyone can find where you and your computers are.

👉 Advantages of a Dynamic IP

Dynamic IP addresses are easy to manage and cheaper to deploy than static IP addresses. They also have some advantages:

  • Automatic configuration. In the case of a dynamic IP address, the DHCP server automatically assigns an available IP address to the device. No action is required from the user.
  • Cheaper cost. There is no cost associated with using a dynamic IP address because this type of connection is usually the default.
  • Unlimited IP addressing. Dynamic addresses allow you to reuse the same IP addresses. Your devices automatically configure themselves with a new dynamic IP address as needed. When you bring home a new computer, there is no need to manually assign it a new address and delete the old one. The router takes care of that. It also prevents conflicts from confusion when two computers try to use the same IP address.
  • Potentially increased security. With a dynamic IP address, it will be more difficult for a potential attacker to attack your network equipment. Of course, the same applies to your physical location.

Disadvantages of a Dynamic IP

However, there are situations where dynamic IP addresses lose out to static ones. For example, they may not work well with Internet services like e-mail.

  • Not suitable for hosting services. If you want to host a website, email server, etc., a dynamic IP address can cause some problems. Because the address is constantly changing, DNS does not work well with dynamic IP addresses. Dynamic DNS server solve this problem, but they are more expensive and more complicated.
  • Limiting remote access. Depending on your remote access software, may have trouble connecting if you use a dynamic IP address.
  • More downtime. Sometimes your Internet Service Provider cannot assign you a dynamic IP address, although this is extremely rare. This can interrupt your Internet connection. For the individual consumer, this is a temporary inconvenience. However, it’s much worse if your company’s Website gets disconnected.
  • Less accurate geolocation. A dynamic IP address can cause geolocation services to fail because the stored dynamic address no longer reflects your actual location.

As we found out, static IP addresses are more suitable for businesses with websites or Internet services. Static IP addresses also work well if remote workers connect to work via VPN. However, dynamic IP addresses are suitable for most consumers. They are cheaper and pose fewer security risks.

Can I Сhange My Static IP address?

In most cases, if you get your Internet service through an ISP, it assigns you a dynamic IP address. Your devices are assigned dynamic IP addresses on your network by default. Switching to a static IP address is usually straightforward. You first need to contact your ISP to find out if static IP service is available, and if so, ask them to activate it. The ISP will give you your IP address, and you must specify it in the router settings.

How to Protect Your IP address?

Regardless of your IP address, your Internet Service Provider (ISP) and hackers can determine where you are and what you do on the Internet. To conceal your IP address and thus protect yourself from surveillance on the Internet, the most effective way is to use a VPN. It fully encrypts your traffic, eliminating the possibility of interception by intruders.

The post Static And Dynamic Ip Address: Brief Comparison appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/static-and-dynamic-ip/feed/ 0 8818
TOP DNS Attacks Types https://gridinsoft.com/blogs/top-dns-attacks-types/ https://gridinsoft.com/blogs/top-dns-attacks-types/#respond Wed, 15 Jun 2022 14:25:18 +0000 https://gridinsoft.com/blogs/?p=8566 What is a DNS (Domain Name Server) Attack? A DNS attack is the situation when an attacker either attempts to compromise a DNS network or uses its inherent attributes to conduct a broader attack. A well-orchestrated DNS attack can cause severe damage to an organization. DNS is the main form of communication. It receives domains… Continue reading TOP DNS Attacks Types

The post TOP DNS Attacks Types appeared first on Gridinsoft Blog.

]]>
What is a DNS (Domain Name Server) Attack?

A DNS attack is the situation when an attacker either attempts to compromise a DNS network or uses its inherent attributes to conduct a broader attack. A well-orchestrated DNS attack can cause severe damage to an organization. DNS is the main form of communication. It receives domains entered by the user and maps them to an IP address. DNS attacks use this mechanism to perform malicious actions. For example, DNS tunneling techniques allow attackers to compromise network connectivity and gain remote access to the target server. Other DNS attacks can allow attackers to shut down servers, steal data, direct users to rogue sites, and perform DDoS attacks .

What is DNS?

To understand what a DNS attack is, let’s first remember it and how it works. DNS (Domain Name System) is a protocol that converts a domain name such as yoursite.com to an IP address such as 205.38.05.159. When users enter the domain name yoursite.com in a browser, the DNS resolver (a program in the operating system) searches for the numeric IP address or yoursite.com. Here’s how it works:

  1. The DNS resolver looks for an IP address in its local cache.
  2. If the DNS resolver can not find the address in the cache, it queries the DNS server.
  3. The recursive nature of DNS servers allows them to query each other to find the DNS server with the correct IP address or to find an authoritative DNS server that stores the canonical mapping of a domain name to its IP address.
  4. When the resolver finds the IP address, it returns it to the requesting program and also caches the address for future use.

Download Gridinsoft Anti-Malware

Why Perform an Attack on the DNS?

DNS is a primary IP network and Internet service; therefore, it is required during most exchanges. Communication usually begins with DNS resolution. If the resolution service becomes unavailable, most applications will no longer work. Attackers often try to disallow the DNS service by bypassing the standard protocol function or using exploits and flaws. This can open the door to tunneling, data theft, and other exploits that exploit underground communications, as well as limiting the victim’s access to sites where they can find information on how to solve the problem.

RELATED CONTENT
Cyber attack technologies in the world are becoming more sophisticated and sophisticated. The most common cyber attacks today: tips for protection.

Major Types of DNS attacks

Below are some of the methods used for DNS attacks:

📌 DNS Tunneling

DNS tunneling passes information through the DNS protocol, which typically resolves network addresses. Normal DNS queries contain only the information needed to communicate between the client and the server. DNS tunneling inserts an extra line of data into this path. It establishes communication that can bypass most filters, firewalls, and packet-capture software. This makes it difficult to detect and trace its origin. DNS tunneling can establish command and control or it can exfiltrate data. Information is often broken into smaller pieces, moved through the DNS, and collected at the other end.

📌 DNS Amplification

A DNS amplification attack is a DDoS attack in which attackers use available public DNS servers to flood the target with response DNS traffic. The attacker sends a DNS lookup request to a public DNS server with a fake source address, which is the target’s address. When the DNS server sends the response to the DNS record, it is sent to the target instead.

📌 DNS Flood Attack

DNS flooding attacks are another DNS-related type of DDoS attack that involves using the DNS protocol to perform User Datagram Protocol (UDP) flooding. Attackers deploy valid (not spoofed) DNS query packets at extremely high packet transmission rates and then create an array of raw IP addresses. Because the queries appear valid, the target DNS servers begin to respond to all queries. The DNS server can then be overwhelmed by a huge number of requests. In addition, the DNS attack requires a lot of network resources, which tires out the target DNS infrastructure until it is shut down. As a result, Internet access to the target is also reduced.

📌 DNS Spoofing

DNS spoofing or DNS cache poisoning uses security holes in the DNS protocol to redirect Internet traffic to malicious websites. They are sometimes referred to as man-in-the-middle attacks (MITM). This type of attack involves using altered DNS records to redirect online traffic to a rogue site that impersonates the intended recipient. When your browser goes online, it first queries a local DNS server to find the IP address for the website name. The local DNS server will request the address from the root servers that own the domain and then from the authoritative name server for that domain.

DNS poisoning occurs when an attacker interferes with this process and gives the wrong answer. Once he has tricked the browser into thinking he got the correct answer to his query, the attacker can redirect traffic to any fake website he wants. When the victim reaches the fake website, they are prompted to enter their login and password and log in to their account.

Once they enter data, they essentially give the attacker the ability to steal the credentials to access, and any sensitive information entered into the fraudulent login form. In addition, these malicious websites are often used to install viruses or worms on end-user computers, giving the threat actor long-term access to the machine and any data stored on it.

📌 NXDOMAIN Attack

The NXDOMAIN Flood DDoS DNS attack attempts to overload the DNS server by using a huge volume of requests for non-existent records. These attacks are often handled by the DNS proxy, which uses most (or all) of its resources to query the authoritative DNS server. This causes both the authoritative DNS server and the proxy DNS server to use all of their time to process invalid queries. As a result, response time to legitimate requests slows down until it eventually stops altogether.

📌 Botnet-based Attacks

A botnet is a series of devices connected to the Internet. It can be used to execute a distributed denial-of-service (DDoS) attack that steals data, sends spam, and allows an attacker to access the device and its connectivity. Moreover, botnets are a diverse and constantly evolving threat, so all of these attacks will inevitably evolve in parallel with our growing dependence on digital devices, the Internet, and new future technologies.

DNS Attack Prevention

The DNS service is like a giant contact list that a device uses to access a specified IP address. Implementing a solid security plan and following some basic security measures can help protect against evolving DNS attacks. Here are a few ways that can help you protect your organization from DNS attacks:

  • Keep DNS Resolver Private and Protected. Limit the use of the DNS resolver to users on the network and never leave it open to external users. This will help prevent cache poisoning by external entities.
  • Securely Manage Your DNS servers. Usually, authoritative servers can be hosted in-house, by a service provider, or by a domain registrar. You can get complete control if you have the necessary skills and experience for in-house hosting. If you don’t have the required skills, you can use the services of qualified professionals.
  • Configure Your DNS Against Cache Poisoning. Configure security in your DNS software to protect your organization from cache poisoning. For example, try adding variability to outgoing requests to make it difficult for attackers to enter a fake response and get it accepted. Or try randomizing the request ID or using a random source port instead of UDP port 53.

As you can see, the DNS service is essential to the day-to-day operation of websites. The Internet is open to everyone, including cybercriminals who actively exploit weaknesses in a company’s security infrastructure. Therefore, a robust DNS security hardening policy will help organizations mitigate various DNS attacks.

The post TOP DNS Attacks Types appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/top-dns-attacks-types/feed/ 0 8566
DNS Spoofing: Key Facts, Meaning https://gridinsoft.com/blogs/dns-spoofing/ https://gridinsoft.com/blogs/dns-spoofing/#respond Mon, 30 May 2022 10:42:33 +0000 https://gridinsoft.com/blogs/?p=8180 What is DNS Spoofing? DNS (Domain name server) spoofing or DNS cache poisoning is a type of cyberattack used by an attacker to direct the victim’s traffic to a malicious website (instead of a legal IP address). Attackers use DNS cache poisoning to redirect Internet traffic and steal sensitive information. For example, a hacker wants… Continue reading DNS Spoofing: Key Facts, Meaning

The post DNS Spoofing: Key Facts, Meaning appeared first on Gridinsoft Blog.

]]>
What is DNS Spoofing?

DNS (Domain name server) spoofing or DNS cache poisoning is a type of cyberattack used by an attacker to direct the victim’s traffic to a malicious website (instead of a legal IP address). Attackers use DNS cache poisoning to redirect Internet traffic and steal sensitive information.

For example, a hacker wants to trick users into entering personal information on an insecure site. How does he do that? By poisoning the DNS cache. The hacker spoofs or replaces the DNS data for a specific site and redirects the victim to the attacker’s server instead of the legitimate server. In this way, the hacker achieves his goal because he has many opportunities: he can commit a phishing attack, steal data or even inject malware into the victim’s system.

READ ALSO
Spoofing is an internet scam technique that deceives uninformed users with messages that mislead users by their appearance alone. Uses such human vulnerability as inattention.

How Does DNS Spoofing Work?

Before talking about DNS cache poisoning, let’s first remember what DNS and DNS caching are. DNS is a worldwide directory of IP addresses and domain names. DNS pairs user-friendly addresses, such as facebook.com, into IP addresses, such as 157.240.22.35, that computers use on the network. DNS caching is a system for storing addresses on DNS servers worldwide. To speed up the processing of your DNS requests, developers have created a distributed DNS system. Each server keeps a list of available DNS records called a cache. If the DNS server closest to you does not have the required IP address, it queries the higher DNS servers until the address of the website you are trying to get to is not found. Your DNS server then saves this new record in your cache to get a response faster next time.

How does DNS Spoofing work
How does DNS Spoofing work

Unfortunately, DNS has several security flaws that attackers can exploit and insert forged Internet domain address records into the system. Typically, criminals send fake responses to the DNS server. The server then replies to the user who made the request, and at the same time, the legitimate servers will cache the fake record. Once the DNS cache server stores the fake pair, all subsequent requests for the compromised record will get the server’s address controlled by the attacker.

DNS Spoofing Techniques Can Include:

  • Man in the middle (MITM) – The cybercriminal intercepts the traffic and passes it through his system, collecting information as he goes or redirects it elsewhere.
  • DNS server compromise – directly hijacking the DNS server and configuring it to return a malicious IP address.

Cybercriminals can easily compromise DNS responses while remaining undetected due to security vulnerabilities in specific web applications and the lack of proper authentication of DNS records. Let’s take a closer look at them:

Lack of Verification and Validation

DNS has a first trust structure that does not require IP validation to verify before sending a response. Because DNS resolvers do not validate data in the cache, an invalid entry remains until it is manually deleted or the TTL expires.

Recursive DNS Resolver Vulnerability

When recursive querying is active, the DNS server receives the request and does all the work of finding the correct address and sending the response to the user. If it does not have a record in its cache, it will query other DNS servers until it gets the address and returns it to the user. Enabling recursive querying presents a security vulnerability that attackers can exploit to poison the DNS cache.

As the server looks for the address, the attacker can intercept the traffic and provide a fake response. The recursive DNS server will send the response to the user and simultaneously store the spoofed IP address in its cache.

No Encryption

Typically, the DNS protocol is not encrypted, making it easier for attackers to intercept its traffic. In addition, servers do not have to verify the IP addresses to which they route traffic. Hence they cannot determine whether it is genuine or spoofed.

How to Prevent DNS Spoofing?

Real-time monitoring of DNS data can help identify unusual patterns, user actions, or behaviors in traffic, such as visiting malicious sites. And while detecting DNS cache poisoning is difficult, there are several security measures companies and service providers can take to prevent it. Some measures to prevent DNS cache poisoning include using DNSSEC, disabling recursive queries, and more.

The Limit of The Trust Relationships

One of the vulnerabilities of DNS transactions is the high trust relationship between different DNS servers. Therefore, servers do not authenticate the records they receive, allowing attackers to send fake responses from their illegitimate servers.

To prevent attackers from exploiting this flaw, security groups should limit the level of trust their DNS servers have with others. Configuring DNS servers to not rely on trust relationships with other DNS servers makes it difficult for hackers to use a DNS server to compromise records on legitimate servers. There are many tools available to check for DNS security threats.

Use the DNSSEC protocol

Because Domain Name System Security Extensions (DNSSEC) uses public-key cryptography to sign DNS records, it adds validation and allows systems to determine whether an address is valid or not. This prevents forgery by verifying and authenticating requests and responses.

In regular operation, the DNSSEC protocol associates a unique cryptographic signature with other DNS information, such as CNAME and A records. The DNS resolver then uses this signature to authenticate the DNS response before sending it to the user.

Security signatures ensure that a legitimate source server validates responses to requests that users receive. Although DNSSEC can prevent DNS cache poisoning, it has drawbacks such as complex deployment, data provisioning, and zone enumeration vulnerabilities in earlier versions.

Use The Latest DNS and BIND Versions Software

Beginning with version 9.5.0 BIND (Berkeley Internet Name Domain) includes enhanced security features such as cryptographically secure transaction identifiers and port randomization, which minimizes the chance of DNS cache poisoning. It is also important that the IT staff keeps it up to date and ensures that it is the latest and safest version. Here are some more useful tips to help prevent DNS cache poisoning.

  • Configure the DNS server to respond is exclusively related to the requested domain.
  • Make sure that the cache server only stores data related to the requested domain.
  • Forced to use HTTPS for all traffic.
  • Disable the DNS Recursive queries.

DNS cache poisoning causes domain users to be redirected to malicious addresses. In addition, some attacker-controlled servers can trick unsuspecting users into downloading malware or providing passwords, credit card information, and other confidential information. To prevent this, it is essential to use reliable security methods.

READ RELATED CONTENT
IP spoofing: What is IP Spoofing Attack? Spoofing is a type of cybercrime whose method is to impersonate another computer or network in the form of an ordinary user to convince the user of the reliability of the source of information.

The post DNS Spoofing: Key Facts, Meaning appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dns-spoofing/feed/ 0 8180
A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/ https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/#respond Fri, 06 May 2022 07:00:13 +0000 https://gridinsoft.com/blogs/?p=7754 A vulnerability has been discovered (CVE not yet issued) in uClibc and uClibc-ng C standard libraries. These libraries are vastly used in IoT devices. The newly found vulnerability makes it possible to place forged data into the DNS cache, allowing to set an arbitrary IP address in that cache with the subsequent rerouting of all… Continue reading A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.

]]>
A vulnerability has been discovered (CVE not yet issued) in uClibc and uClibc-ng C standard libraries. These libraries are vastly used in IoT devices. The newly found vulnerability makes it possible to place forged data into the DNS cache, allowing to set an arbitrary IP address in that cache with the subsequent rerouting of all domain-directed queries to the malefactors’ server.

The flaw affects Linux firmware used in various routers, hotspots, and other IoT devices. It also hits Linux distributives for the embedded operating systems like Embedded Gentoo and OpenWRT. The vulnerability reveals itself in many different devices. For example, Linksys, Netgear, and Axis all use uClibc libraries. Since the vulnerability is not yet cured in uClibc and uClibc-ng, the details about specific devices and manufacturers in whose products the problem occurs are not brought to the public yet.

The vulnerability mechanism

The vulnerability comes from the usage of predictable transaction identifiers in the library-generated DNS requests. DNS request IDs are formed by simple incrementing of the counter without any additional randomization of the port numbers. This mechanism, in turn, allowed DNS cache poisoning through the proactive sending of a UDP packet with a forged response. The spoof will be accepted if it features a correct request ID and arrives before the genuine server’s response. Unlike the Kaminsky method proposed in 2008, the current approach doesn’t even require guesswork since the transaction ID is initially predictable. The initial value (1) gets incremented with each query, not chosen randomly.

Security recommendations against ID breaking include randomizing numbers of source network ports whence the DNS request. This measure must compensate for the short length of the identifier. If randomization is activated, the forgery of a 16-bit ID is not enough – hackers then would have to additionally brute-force the network port number. In uClibc and uClibc-ng, the random source UDP port didn’t show during the bind request. Therefore, the randomizer was turned off, and its application required changing settings in the operating system.

With the randomization switched off, the problem of guessing an incremented request ID becomes trivial. But even if the randomization were applied, the attackers would only need to pick up a port number from a range of 32768–60999 (Linux uses such.) They could have used a massive simultaneous sending of fake responses to different network ports yet to win against the legitimate DNS response.

History of the inquiry

The problem has been confirmed in all working versions of the uClibc and uClibc-ng, including the latest uClibc 0.9.33.2 and uClibc-ng 1.0.40. In September 2021, the information on the vulnerability was sent to CERT/CC for coordinated fixes preparation. Moreover, In January 2022, the data was delivered to more than 200 manufacturers working with CERT/CC. In March, there was communication with the uClibc-ng project support. They admitted they could not fix the vulnerability themselves and recommended disclosing the information to the community so that it could assist with the development of the fix. Nozomi Networks, the company that detected the flaw, brought the information to the public in a thorough report on May 2, 2022. In the meantime, Netgear has announced an update wherein they promise to deal with the vulnerability.

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/feed/ 0 7754
Avast experts accidentally got source code for GhostDNS exploit https://gridinsoft.com/blogs/avast-experts-accidentally-got-source-code-for-ghostdns-exploit/ https://gridinsoft.com/blogs/avast-experts-accidentally-got-source-code-for-ghostdns-exploit/#respond Thu, 21 May 2020 16:43:36 +0000 https://blog.gridinsoft.com/?p=3814 Avast analysts suddenly got the source codes for the GhostDNS exploit. The experts got access to the source thanks to an error from an unknown hacker. GhostDNS is a set of exploits for routers that uses CSRF queries to change DNS settings and then redirect users to phishing pages (where from victims are stolen credentials… Continue reading Avast experts accidentally got source code for GhostDNS exploit

The post Avast experts accidentally got source code for GhostDNS exploit appeared first on Gridinsoft Blog.

]]>
Avast analysts suddenly got the source codes for the GhostDNS exploit. The experts got access to the source thanks to an error from an unknown hacker.

GhostDNS is a set of exploits for routers that uses CSRF queries to change DNS settings and then redirect users to phishing pages (where from victims are stolen credentials from various sites and services).

Researchers say that an unknown hacker uploaded an unprotected password-protected KL DNS.rar archive into an unnamed file exchange website, containing a malware and several phishing pages. At the same time, the attackers seemed to forget that Avast antivirus was installed on his machine with the active Web Shield component that protects against malicious web content. As a result, the file with the malware was analyzed by the Avast solution, and the researchers got access to the source code.

“We downloaded the linked file and found the full source code for the GhostDNS exploit suite”, — say the experts.

As showed analysis of the malware, the exploit kit used two methods to attack routers: Router EK and BRUT. Both methods used CSRF queries to change the DNS settings. So, Router EK is designed for attacks from the local network and requires the user to click on a malicious link. BRUT is a scanner that searches the Internet for insecure routers and attacks them (in this case, user interaction is not required).

Researchers found in the archive a list of prefixes for IP addresses in 69 countries of the world that the malware had to scan. For each prefix, were checked 65,536 addresses. Though majority of the target countries were in South America (Brazil was the most affected), victims are also found in the USA, Australia and Germany.

GhostDNS source code exploit
List of the Credentials

To gain access to the device and override the DNS settings, the new version of GhostDNS applied bruteforce, using a small dictionary containing a list of 22 default credentials. At the same time, older versions of the malware had a list of 84 credentials.

After gaining access to the device, the malware changed the DNS settings so they pointed to the attacker’s servers. To do this, a hacked version includes SimpleDNS Plus application.

In turn, RouterEK attacks victims through malicious advertising. If the user clicks on such a malicious ad, begins the search for the internal IP address of the router.

GhostDNS source code exploit
Scheme of the attack

In this case, used a smaller set of credentials than in the case of BRUT. Avast analysts found a list of just eight usernames and passwords, all of which are most commonly found in Brazil.

If the credentials from the router successfully match, GhostDNS proceeds to the phase of displaying phishing pages. In the KL DNS.rar archive can be found several templates of such fakes that imitated the sites of the largest banks in Brazil and Netflix.

Let me remind you that recently I wrote that hackers spoof DNS settings to distribute fake coronavirus applications.

The post Avast experts accidentally got source code for GhostDNS exploit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/avast-experts-accidentally-got-source-code-for-ghostdns-exploit/feed/ 0 3814
Hackers spoof DNS settings to distribute fake coronavirus applications https://gridinsoft.com/blogs/hackers-spoof-dns-settings-to-distribute-fake-coronavirus-applications/ https://gridinsoft.com/blogs/hackers-spoof-dns-settings-to-distribute-fake-coronavirus-applications/#respond Wed, 25 Mar 2020 16:45:35 +0000 https://blog.gridinsoft.com/?p=3599 Journalists from Bleeping Computer investigated that hackers are replacing DNS settings for distributing fake applications. The reason for the investigation were complaints of users, which reported on the forums that they were obsessively offered to download a strange application, allegedly informing about COVID-19 and created by WHO. As it turned out, the routers of these… Continue reading Hackers spoof DNS settings to distribute fake coronavirus applications

The post Hackers spoof DNS settings to distribute fake coronavirus applications appeared first on Gridinsoft Blog.

]]>
Journalists from Bleeping Computer investigated that hackers are replacing DNS settings for distributing fake applications.

The reason for the investigation were complaints of users, which reported on the forums that they were obsessively offered to download a strange application, allegedly informing about COVID-19 and created by WHO.

As it turned out, the routers of these users were compromised, and under the mask of an application was distributed an infostiller. Only recently I wrote about phishing with letters supposedly from WHO, exploiting the theme of coronavirus, and this seems to be the next technological level from cybercriminals.

The publication says that in all cases, the victims were the owners of D-Link or Linksys routers, and unknown attackers changed the DNS settings on the devices.

“It is not yet clear exactly how the attackers gained access to the devices, but several victims admitted that they could access their routers remotely, and they used weak passwords. So it’s probably a matter of brute force and enumerating credentials from a list of known defaults,” – says Bleeping Computer.

Having gained access to the device, attackers change the DNS server addresses to 109.234.35.230 and 94.103.82.249.

Hackers spoof DNS settings

Researchers explain that when a computer connects to a network, Microsoft uses the Network Connectivity Status Indicator (NCSI) feature, which periodically checks to see if your Internet connection is active.

So, in Windows 10, one of these tests will be connecting to http://www.msftconnecttest.com/connecttest.txt and checking if the answer is “Microsoft Connect Test”. If it does, then the computer is connected to the Internet, and if not, Windows will warn that the Internet is not available.

If the user is working with a compromised router, then the malicious DNS servers force Windows, instead of connecting to the legitimate IP address of Microsoft 13.107.4.52, to connect to the intruders resource located at 176.113.81.159. As a result, instead of sending the aforementioned text file, the site displays a page asking the victim to download and install the fake application “Emergency – COVID-19 Informator” or “COVID-19 Inform App”, supposedly created by WHO.

If the user is caught by attackers, and downloads and installs this application, instead of information about the coronavirus, he received the Oski Trojan. This malware will try to collect and transmit the following information to the attackers (the list is incomplete):

  • Cookies
  • browser history;
  • Billing information from the browser
  • saved credentials;
  • cryptocurrency wallet data;
  • text files;
  • autocomplete data for forms in the browser;
  • DB 2FA Authy identifiers;
  • screenshots of the desktop at the time of infection.

The post Hackers spoof DNS settings to distribute fake coronavirus applications appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-spoof-dns-settings-to-distribute-fake-coronavirus-applications/feed/ 0 3599