Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: This is _too_ Beautiful to ignore

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    This is _too_ Beautiful to ignore

    Source: Here.

    Stop Malware with DNS.....

    Imagine trying to add all the primary zones that you can find that are sources of spyware/malware into your DNS servers so that they resolve those bad domains to 127.0.0.1, (or anywhere other than the actual site). It would just be too much work. As the article above describes there is a nice easy way to do it and it works soooo nicely and takes less then 30 minutes.

    The article discusses doing this on your primary DNS servers. We all know that the primary DNS servers in a Windows AD domain are the AD controllers themselves and that the DNS is held within the registry. He suggests that you can do this with AD but that you need to change your domain DNS from "AD Integrated" to "Standard Primary" in order to make this work since the zones need to be loaded from file. If you are a Win200X admin like me the thought of messing with the domain DNS is a lot like looking for a gas leak with a match...... But all is not lost.

    Properly managed DNS in an AD domain should be what is known as split or double DNS. The AD servers should be entirely internal and access to them from the internet should be blocked. These servers should contain both the public and private information about your domain. They should be set to use forwarders and the forwarders should be your public DNS servers located in the DMZ. They should be the only machines allowed to make outbound DNS requests and should only be allowed to make their requests from the public servers in the DMZ to keep their existence hidden. The public DNS servers should only hold your public records and no private information about internal hosts. These public DNS servers should be allowed to make requests from anywhere on the internet and resolve addresses of your public domain resources to any location on the internet.

    With that system in place you can quite happily implement the suggestions in the article. It works very nicely and therefore kills access to some 2470 domains, (not just web pages but entire domains and all their subdomains). Be aware that if the IP address of the domain is hard-coded then the domain will still be contacted but the use of domain names is common so that blocking IP's at the firewall can be rendered ineffective by changing the IP which would still be resolved by DNS.

    Note of warning: The DNS boot file available for download currently contains two errors that prevent the DNS service from starting. They are both instances where the domain name begins with a ", (double quote), just search for them and remove them.

    I really like this.... nicely creative.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Ya good love it, SWEEET post TS!
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    4

    Keep your AD integrated zones

    I just add entries to my host file on the DCs. I make entries that redirect affected/infected computers to one of my freebsd boxes running tcpdump. I just look at the log and I know which boxes have issues that must be addressed. I couldn't bring myself to get rid of the AD integrated zones since they haven't given me any trouble.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I know which boxes have issues that must be addressed.
    Er... What issue? They can't find the real target.... No issue!

    The article points out that you can redirect the DNS resoltion to a box that logs the attempts.... I chose the 127.0.0.1 for the following reasons:-

    1. I'm still testing it but is seems to work fine
    2. As I said above there's no issue
    3. I don't want to be monitoring something else too.
    4. I can change it later if I want to..... Which I probably will when I determine that it is working sufficiently well to begin to think that I am "beating" spyware in my domains so that I can clean up the remaining boxes that are infected.

    I know one thing..... Since I turned it on I haven't seen a single Bleeding Snort Malware rule trigger.... Now that's nice.... My IDS has gone almost silent.... puuuurfect.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Oct 2002
    Posts
    4

    Issues

    Say you start a new job and the first day on the job, you see that many computers are infected with spybot.sd. You must stop the beating against the firewall NOW!!! It is much faster to write a script to adjust all the global dcs to point to certain boxes that will log the attempts for you to clean up. As far as preventing installation or connection to these malware sites, it's a good plan you have although, I think redoing DNS just for this issue may not be the best. If the IDS is quite, it may not mean that computers aren't infected.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nodoze:

    Oh C'mon.... If spybot.sd is that bad it takes 2 seconds to create a primary zone in your AD integrated to redirect them... Done... No writing of scripts.... You could also block the IP's at the firewall.... A single issue isn't an issue..... It's the thousands of "issues" that I'm looking at....

    I gave you a nice quick way to defeat some 2500 "issues" from removing the need to change your AD DNS from integrated... (The RIGHT way), to Standard Primary, (the risky/WRONG way), that I found out there that someone smarter then me came up with that, in a properly set up DNS system, I adapted a little..... If you don't want to use it or if you think that you have a better way take it up with him, not me, or just do your own thing, it's fine by me....

    Do you use the Bleeding Snort Malware rules? Didn't think so.... Trust me... It makes the IDS's go much quieter.... Remember, (or learn, since we don't know each other), I manage domains I have _no_ control over.... A quiet IDS where malware is concerned is a beautiful thing......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    TS: great post...this is a SWEET solution. My engineers and I started down this path but went down another path which involved implementing a proxy server to _fix_ other issues (pron, gaming, etc) and we didnt fully vet it out like this doc does. Never got funding for the proxy software (Websense).

    We have been using MVPS.org hosts file for _problem users_ (re.; admin assistants, tech support, sales people) who get infected with spyware but it's time consuming to setup (we do use an AT job and WGET to regularly update the file) and not scalable.

    I'm gonna check this out next week I think....sweet.

    It sounds like nodoze just wants to know when a machine is infected so it can be cleaned...however I agree with you: if it cant call _home_ it's a benign infection...we have bigger _fish_ to fry than worry about these neutered critters

    Thanks again!

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Heh....

    Until Friday, over the previous month, my Bleeding Edge Log Analysis file ran an average of about 8-10kb per day which equates to about 30-40 detections per day by the Bleeding Snort Malware rules.

    For Saturday and Sunday my log analysis report indicates "BleedingEdge.txt ****Zero Length **** Deleted at 00:13:27"

    Now I _really_, _really_ like that....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member ShippMA's Avatar
    Join Date
    Oct 2002
    Posts
    165
    Hi Tiger Shark,

    I am a novice home user and have been looking for a way to block sites and domains. (my home network is a wireless router hooked up to a broadband modem, quite basic) now i have filled up the filters on the router and have been trying to find other ways to blovk more.

    To cut a long story short after reading the file you linked to origionally it mentioned that home users use the Host file a lot, which after a google search led me to this site:

    http://accs-net.com/hosts/

    I have now decided to implement a a host file, (taken from this site as they update with new adservers every couple of months) edexter to provide a page for 127.0.0.1 and DNSkong to block some more broad adresses.

    In short THAN YOU SO MUCH for this post as although the actual content is slighlty beyond my understanding it has led me to a site that suits my needs perfectly.

    Additionally if anyone reading this has used edexter and DNSkong and has any tips or come across and adverse effects then please let me know by PM (don't post here so as not to hi-jack the thread).

    Thanks again

    Matt
    www.simpleits.co.uk
    www.tazforum.**********.com
    Google is god ....... of the Internet

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I just setup a test server for this today. So far its working perfectly!

    One question... how are you going to keep it updated?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •