Hey guys this is yash aka yinsain here,if you are reading this then you are surely not infected with it. I was getting a bit curious about all this news i was getting from my friend about a new malware hitting the web, well as i looked into it, it looks nothing new, just the old skool technique to redirect victims to a malicious server for there own good.
Methods are still the same but the techniques to achieve that has really evolved from years till now. As this name is a bit eye catchy you might be interested but do you really know what it is and what will it do.
Lets start with the name, Monday malware was given to it because it will knock you off the internet on monday that is today 9/7/2012 as most of the agencies are saying.
Well its actual name is still not defined but people have given its so many names, and some are from gov agencies also to classify it.
Other name is 'Alureon/DNS Changer bot'.
So lets dig into its working, as i dont hold a working executable or its source code. So i will be demonstrating the effect of this malware in a controlled enviroment via some network tools.
To understand the basic working of this malware you should be aware of some of the working principles of internet. The one we are focusing on in this blog post is DNS. For a basic explanation, this is the service which manages the juggling of ip addresses and the host names, wrong info of ipaddress will lead you to a wrong page, that is what that malware do but in a stealthy manner, most probably redirecting the victim to thr own server for malicious purposes. for further details you can read
this.
Here i am using a virtual machine to depict a victim and using a linux(ubuntu) host machine to create an infected scenario.
Tools :: dsniff-suite, Virtualbox.
Setup ::
Getting the softwares,
------------------------------------------------------------------------------------------------------------------------------------
apt-get install dsniff
for virtualbox
either download a installer file for your o.s. or follow the linux way.
-------------------------------------------------------------------------------------------------------------------------------------
This suite consists of many great tools, the ones we will be using are
>> arpspoof
>> dnsspoof
NOTE :: arpspoof requires packet forwarding on the host system.
So first we need to enable packet forwarding on your linux host.
-------------------------------------------------------------------------------------------------------------------------------------
# echo 1 > /proc/sys/net/ipv4/ip_forward
please note you will require root priviledges to do this.
-------------------------------------------------------------------------------------------------------------------------------------
And now for the dnsspoof, this tool reads out the domains from a file which we can provide.
edit it the way you feel, just maintain the structure it recognizes.
here is mine.
so we are ready..
i have just added three entries for the common sites that people open.
>> paypal
>> facebook
>> google
So the setup for the tool is ready,
Now you need a victim, here in our example we are using a virtual victim
so you can google it to get a detailed instruction to get a virtual machine all set with o.s. of your choice for this.
Our victim here is windows xp user.
NOTE :: THIS DEMO WORKS ON ALL THE O.Ss INCLUDING WINDOWS, MAC OS AND LINUX. BUT THE REAL MALWARE WAS REPORTED TO JUST WORK ON WINDOWS AND MAC OS TILL NOW. LINUX STILL SURVIVES HUH.
So lest fire up our virtual machine.
lets open up our websites....
as you can see, all the three seems to opening fine..
and even the dns_cache is fine.
So lets start the attack to create an infected scenario....
I will try to keep it least complicated so open up three different instances of terminal.
and issue these commands.
-------------------------------------------------------------------------------------------------------------------------------------
I terminal
# arpspoof -i eth0 -t 192.168.1.16 192.168.1.14
victim ^ gateway^
II terminal
# arpspoof -i eth0 -t 192.168.1.14 192.168.1.16
gateway^ victim^
-i [ interface name ]
-t specify targets
and start them
III terminal
#dnsspoof -i eth0 -f int.txt host 192.168.1.16 and udp port 53
^file with host names we created earlier
-------------------------------------------------------------------------------------------------------------------------------------
so this is how it may look
So lets open up a browser on the victim machine,,
here i am opening facebook..
As you can see the url was valid, but due to the infected victim machine,
request got redirected to the host mentioned in the spoof file for dnsspoof.
Be careful while logging in any of your accounts or buying any stuff online, if you are infected you may endup in a bad situation.
This is how a dns spoofing can occur, this is extremely dangerous for day to day users, as they may get redirected to fake pages and innocently give up their login credentials without any suspicion.
PREVENTIVE MEASURES::
>> do get your system cleaned by a valid tool like avira dnschanger bot remover if your windows or mac is infected.
>> contact your isp to get a valid list of dns servers' ipaddresses which are owned by the isps.
Again thanks for reading.
plz leave comments or message me for any query.
