Use of rogue DNS servers on rise

/ Source: The Associated Press

They're called "servers that lie."

Mendacious machines controlled by hackers that reroute Internet traffic from infected computers to fraudulent Web sites are increasingly being used to launch attacks, according to a paper published this week by researchers with the Georgia Institute of Technology and Google Inc.

The paper estimates roughly 68,000 servers on the Internet are returning malicious Domain Name System results, which means people with compromised computers are sometimes being directed to the wrong Web sites — and often have no idea.

The peer-reviewed paper, which offers one of the broadest measurements yet of the number of rogue DNS servers, was presented at the Internet Society's Network and Distributed System Security Symposium in San Diego.

The fraud works like this: When a user with an affected computer tries to go to, for example, Google's Web site, they are redirected to a spoof site loaded with malicious code or to a wall of ads whose profits flow back to the hackers.

The hackers who hijack DNS queries are looking to steal personal information, from e-mail login credentials to credit data, and take over infected machines.

The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

The DNS system is a critical part of the Internet's infrastructure, used to make sure computers know how to contact each other. People usually automatically use the DNS servers of their Internet providers, but the recent wave of attacks modify the settings on victims' computers to send traffic to rogue DNS servers.

Attacks using manipulated DNS results aren't new. Profit-driven hackers have a strong incentive to control where users go on the Web. The paper looked at viruses that started appearing in 2003 designed to alter the DNS settings on infected computers.

The report noted the rogue DNS servers don't always return incorrect results, often fooling users into believing their Internet access is working properly. Hackers thus can route users to malicious Web sites whenever they choose.

Most up-to-date antivirus software will catch and banish the viruses used to change DNS settings. Once a computer's been infected, users need to run a new scan with the latest software and change their DNS settings back — which is easy.

Security experts not involved in preparing the paper said it adds valuable data about the scope of an increasingly popular type of attack.

"A lot of people don't realize the seriousness of it," said Paul Ferguson, a threat researcher with Trend Micro Inc. "The problem is getting worse."