November 6th, 2005 09:40 AM
Question that needs an answer ...
Well I just finished reading this  and found it interesting. But most of all I found this part interesting, "The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself."
Well here is my question [Hopefully this question doesn't sound to stupid ] : How can one prevent the DNS server from being modified to one that the attacker controls ?? Is there a program that can alert you to this change ??
 ]Phishing Alert / Malicious Code: PayPal Traffic Redirection
November 6th, 2005 10:08 AM
I don't know of such a program by hand. But I was thinking of the question.
I think it all depends on how you look at it. Is this client (the one that's gonna get his dns changed) on a domain network or is it a stand alone client. Does the user have admin rights or not.
If he's on a domain you can enforce policies, if he's not you can still enforce policies but local. Or try not to use an admin account. I do this even at home ... Use a normal account for surfing the waves and email and stuff. I don't have the rights to change my IP-settings and stuff. I don't know if the trojan can reset the the DNS if the account that is logged on doesn't have admin rights ?
Offcourse this only works on windows machines like XP or W2K(3) as far as I know (not on W98 or ME)... I'm sure you can do the same thing on any Linux or Unix machine though(Does the Trjoan work on Linux or Unix machines?) ?!
I'll read up on this trojan and adjust the post if it doesn't require admin rights to change the DNS but I was thinking it did.
[EDIT] Well I've seen it changes a registry setting, so I know there are programs that can monitor this, as well as scripts that are available that monitor this This one for example.
Does that help ? I think it does a little bit , you have control on when something gets changed... You can even alternate the script and let it send an email or something. [\EDIT]
Back when I was a boy, we carved our own IC's out of wood.
November 6th, 2005 11:08 AM
"The controls on this property sheet are disabled because you do not have sufficient privileges to access them. Please contact your administrator."
Is what I get...
As far as I am concerned, an application acting well within its permissions is nothing to worry about.
Also as far as I know... there has never been an instance in the history of Windows, of a process exceeding its rights.