[nsp-sec] FW: Storm worm changing DNS resolver settings on victim system
Florian Weimer
fweimer at bfk.de
Thu Mar 13 10:57:39 EDT 2008
* John Kristoff:
> Florian Weimer <fweimer at bfk.de> wrote:
>
>> For Zlob, it's trivial, see <http://support.microsoft.com/kb/158474>,
>> under "DnsServerPort". MacOS X supports "port" in /etc/resolv.conf,
>> so it's equally straightforward. It's probably a good idea to do this
>> right now because it makes cleaning up more difficult.
>
> I stand corrected, cool feature. What do you mean by it being a good
> idea to do this right now? You mean we should do this in order to
> learn how to deal with it?
Tongue-in-cheek, I was suggesting that the miscreants should do it
because I don't think this registry key can be changed through the
GUI, so removing the unwanted software and restoring the proper DNS
servers basically breaks your Internet connectivity. So you go back
and install the configuration we consider compromised.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list