Sign up to our newsletter
A continuation on: Time to check your DNS settings?
After 7 March 2012, lots of people potentially can be hit as their systems are infected by a DNS Changer. Several government-CERTs have already warned their users. Rather than using the ISP’s DNS Servers, the malware has changed the settings to use DNS Servers controlled by the hijackers. The malware also connected to a botnet and the botnet’s C&C Server, as well as the used DNS Servers, was taken offline on 10 February by the FBI with the aid of European Cybercrime Police. The DNS Servers confiscated were replaced by others so infected users will not be without internet right away. But on 7 March these DNS Servers will be taken offline and any user that has not yet cleaned his system and restored the DNS configuration will find himself not being able to use the internet.
Assuming that your system is still or was affected by such a DNS Changer, the consequences can be more severe than you realize. If you tried to pick up e-mail, connecting to your ISP’s e-mail server (or so you think), you may actually have connected to a hijacker’s e-mail server, authenticating yourself with a logon credentials. As the logon credentials for POP3 and SMTP-servers are often identical, you now have supplied the hijacker a possibility for him to launch spam into the world where the point of origin will point to your account.
Similarly this accounts for Web-based e-mail clients. The hijacker may set up a (perfect) copy of e.g. Hotmail or Gmail, and you will try to logon giving him all the credentials he needs. People are more accustomed to change the passwords for the Web-based e-mail clients when they have been using them on public computers (and if not you should) as it is never sure what kind of capturing software is installed.
The cynical people may state that Hotmail, Gmail (and others) now use HTTPS and the absence of the Green SSL-EV confirmation bar will give away that you are not connected to the real website.
But in all fairness, how many people actually check the content of the certificate (or that is actually is the right one)? Most people will not bother to look at it when the bar is green. The hijacker may actually use a legitimate SSL-EV certificate (either his own or a stolen one), making that bar green.
For the aforementioned case when you are connecting to a POP3 or SMTP server, most people are not aware that the communication by default goes unencrypted over the network. Any wire-sniffer as Wireshark would already reveal your credentials. Connecting to a regular POP3 server will then show:
The majority of the people are using the standards settings of e.g. Outlook (picture on the left) which by default means open, non-encrypted (plain text) communication is used.
But if your ISP supports secure e-mail (POP3S, SSL encrypted communication, picture on the right) then the content of the communication is not visible anymore by wire-sniffers. Do note the different port used!
Does that make the communication secure in case you are infected by the DNS Changer Malware? Or, just in case you are infected, will that prevent them from fetching your credentials? No, if you are infected, they may have them already. And switching now to encrypted communications may not safeguard you. When you force the encrypted connection and your ISP is supporting it, you may be prompted with a question about the validity of a certificate.
You can either accept or deny to continue or to have a look at the certificate…
But what does that say?
As you can’t pick up your e-mail unless you approve the certificate, most users will. But are you sure this is really your ISP’s certificate?
Stuxnet was digitally signed using stolen certificates, later a similar thing happened to QuakeBot. And the problems with several Digital Certificate resellers (where the dismantled DigiNotar was one of them), showed it would not be unrealistic to be skeptical about certificates. They are all based on trust, but do you trust the one that issued the trust-certificate.
Back to the password problem: if you were infected by this DNS Changer, or any malicious program that redirects traffic, it makes sense to change your credentials to connect to your e-mail. If you can’t change that yourself, please call your ISP to have it done. This is typically a case where you would not change your password regularly as you will only enter it once into the account settings and the e-mail client will happily remember it for you.
Author Righard Zwienenberg, ESET