Re: CPE dns hijacking malware

[Larry Sheldon <LarrySheldon () cox net>]

On 11/12/2013 3:24 PM, Larry Sheldon wrote:
> On 11/12/2013 12:12 AM, Dobbins, Roland wrote:
> > On Nov 12, 2013, at 12:56 PM, Mike <mike-nanog () tiedyenetworks com>
> > wrote:
> >
> > > It appears that some of my subscribers DSL modems (which are acting
> > > as nat routers) have had their dns settings hijacked and presumably
> > > for serving ads or some such nonsense.
> >
> > How do you think this was accomplished?  Via some kind of Web exploit
> > customized for those devices and targeting your user population via
> > email or social media, which tricked users into clicking on something
> > that accessed the Web admin interface via default admin credentials
> > or somsesuch; or via some direct attack on the CPE devices
> > themselves; or via some other method?
>
> I am less well informed here than in a lot of other things, so please be
> gentle.
>
> As a user of such equipment, I don't see or know of anything in the I/F
> that I have access-to that mentions DNSish stuff except the servers I am
> to use.
>
> But interestingly enough, when I tried to look at it to verify my
> belief's just no I got a certificate error that it won't let me past.
>
> That seems odd.

Meant to send this to the list.

The on-line chat to Linksys was subsatisfying, but for want of something 
to do I dropped the "s" IN "https" and go on the router just fine. 
Makes you wonder if I understand "certificates".

But I do not see anything that looks like I can affect DNS beyond which 
servers I use.
--
Requiescas in pace o email           Two identifying characteristics
                                        of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                        learn from their mistakes.
                                          (Adapted from Stephen Pinker)