Author Topic: Can Using Namebench Suggestion Expose a Computer to Windigo Malware? (SOLVED)  (Read 14167 times)

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
My neighbor's computer is an old Dell Dimension 3000 that was running Windows XP Pro.  I promised to help him keep the computer up and running by putting Ubuntu 12.04.4 on it until we transitioned to Peppermint 5.  I promised him this would be his best bet for the ultimate in security and ongoing update support. 

A day after installing Ubuntu, his computer began acting strangely -- not as fast as I remembered it to be , and it was a bit jumpy.  Then, remembering I had a different ISP than he did, and that my computer had been hit with the Windigo Malware Trojan a couple of weeks earlier, I decided to test his computer for Windigo, and, yes, his servers were infected.

Now I'm wondering if because I played around with namebranch in order to find him the fastest DNS servers, did I, or could I have, accidentally gotten him a faster server at the expense of infecting his old Dell with the Windigo Trojan?

I removed Ubuntu 12.04.4, and installed Peppermint 4 with OpenDNS this time, and ran the Windigo test from eset.  The test shows his system to now be running clean with Peppermint 4.

Can a DNS provider infect somebody's computer with the Windigo Trojan?

Thank you.

perknh
« Last Edit: May 05, 2014, 03:26:31 am by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline mac

  • Veteran
  • ****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
Re: Can Using Namebranch Suggestion Expose a Computer to Windigo Malware?
« Reply #1 on: April 13, 2014, 05:47:55 am »
If infected files are on the server then, yes, Windows machines using that server can become infected, as well.  Infected Windows files downloaded to Linux pose no danger to Linux machines but, if accessed / downloaded by a Windows machine (say on the same network or via flash drive, etc.) those files can infect the Windows machine to which they were downloaded. 

Welcome to Peppermint.
 :)
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Can Using Namebranch Suggestion Expose a Computer to Windigo Malware?
« Reply #2 on: April 13, 2014, 06:14:06 am »
I take it you mean "NameBench"
https://code.google.com/p/namebench/
?

As I understand it ESET have never been very clear about the attack vector, but I seriously doubt a DNS server could be it.

Whilst I suppose it's possible it came from malicious code in some software you installed from outside the default repos, this line:-
Quote from: ESET
For a higher level of protection in future, technology such as two-factor authentication should be considered.
suggests it nothing more than someone gaining access to your server via a compromised SSH account.

Personally I only alow ssh (to my VPS) through a certificate authenticated openvpn tunnel, and block inbound ssh (and pretty much everything else) over anything but the tunnel.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Can Using Namebrench Suggestion Expose a Computer to Windigo Malware?
« Reply #3 on: April 13, 2014, 10:40:04 am »
Thank you, guys, and thank you for welcoming me back, and  I, too, am eagerly awaiting for Peppermint 5 as the rest of us are.

Yes, I did mean namebench.  I only downloaded Chrome and Maxthon and some wallpapers from
wallpaperswide.com.  I've configured all the uncomplicated firewalls  we use to always deny incoming, and always allow outgoing.

Would you think I'm now safe to go back to the faster DNS servers?  OpenDNS with Family Shield is not the fastest
DNS around, and it is not the DNS server namebench recommended for this computer.  It's part DNS, and it's part buffer from what I can tell.

Who would the server be in this case, the DNS provider, or the ISP for this computer I'm using at present?

I'm not at the level where I understand the SSH and VPS stuff yet.  I still consider myself a maturing newbie.  But you guys in particular, and a handful of others, ( all from Peppermint nation) have been my Linux teachers for a while now.

Thank you both again.
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Can Using Namebrench Suggestion Expose a Computer to Windigo Malware?
« Reply #4 on: April 13, 2014, 11:45:22 am »
Would you think I'm now safe to go back to the faster DNS servers?
Hard to answer that .. as I've said I can't see how a nameserver could be the attack vector .. but I just don't know

That said, for your average web browsing I wouldn't expect nameservers to make much difference .. maybe for something like a search spider that will be doing millions of lookups.

Code: [Select]
Who would the server be in this case, the DNS provider, or the ISP for this computer I'm using at present?
Not quite sure what you're asking there .. the server of what ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Good question -- and one that will expose my ignorance on this subject in a matter of seconds! 

Answer:  The server from where we're getting our information from at the particular time.  Does everything we do on the web go through a DNS process to get what we're reading, or looking at, or listening to, or do some things come right from our Internet Service Provider itself, such as established bookmarks , or our browsers themselves-- those things not needing a search quest first.

Anyway, I'm going to do an experiment here.  I'm going to put the faster DNS settings back onto his router.  My good neighbor deserves a fast DNS process for that old legacy Dell computer.  I would like him to discover the simplicity, security, and joys of Linux. 

My wife now prefers Linux, as do I.  I hope my neighbor will come to enjoy the Linux experience too.

Thank you.

Hours later, and I have now returned to the faster DNS services suggested by namebranch.  I rebooted the computer, and it is faster again, and still testing clean according to eset test.  I don't know why Peppermint 4 is testing so cleanly if is no longer supported, but that being said, Peppermint 4 is working great on that old Dell computer.  Maybe Ubuntu's 13.10 updates are, or were, backported automatically to Peppermint 4's security center by default.  However this process works, Peppermint 4, on that old Dell, is running fast and clean, and functioning beautifully.

Thank you, everyone, for your insights and help.
« Last Edit: April 13, 2014, 06:13:34 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Quote
Does everything we do on the web go through a DNS process to get what we're reading, or looking at, or listening to, or do some things come right from our Internet Service Provider itself, such as established bookmarks , or our browsers themselves-- those things not needing a search quest first.

OK, DNS is just about "name resolution" .. internet protocol addresses are all in the format 173.194.34.129, but thise are really hard for humans to remember.

So you enter "google.com" in your browser .. the PC then queries the DNS server to get that  domain "name" resolved to an IP address .. then your PC uses the IP address that was returned from the DNS server instead of the domain "name".

So nothing goes "through" the DNS servers .. they're just used for human readaqble domain name ---> IP address resolution.



Where the rest of thee web comes from....

You enter into your browser
http://google.com
the DNS servers are queried for name resoultion and "google.com" gets returned as 173.194.34.129 .. your PC then requests the page from the server at google.com by using that IP as the address .. the page is served back to your PC using your IP address (that was contained in the outgoing packets).

So you connect to MANY different servers as you browse the web .. very few, if any are owned by your ISP.

Your ISP *may* have name servers, or they may use someone elses .. they may have mail servers, etc. .. but they do NOT "serve" the web, effectively they just provide the portal to it.

Did any of that make sense ?



You can access sites without DNS....

As an exercise, try directly entering an IP address instead of a domain name .. enter:
173.194.34.129
into your web browsers address bar and hit enter .. still connected to google right ?
« Last Edit: April 14, 2014, 05:48:22 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Yes, that makes perfect sense.  So we're connecting to different servers all the time as we serf the web, and that's why Windigo was so nasty.  It had gone undetected for so long, and because so many servers are either Linux or Unix-based, Windigo, one way or another, was able to spread far and wide over time.

Yes, that IP address took me right to Google Search -- to their server.

Now, let me ask you this:  If Peppermint 4 is based on 13.04 -- which Ubuntu no longer officially supports -- but if it is running well, fast, clean, and stable.  Would you just keep it installed until Peppermint 5 comes out.  Isn't the nature of Linux secure enough to keep the computers using Peppermint 4 secure and stable at least until May or June?

Mind you, I have the UFW default installed too on the systems that are using Peppermint 4, and, believe it or not, these computers are running better than they ever had before Peppermint 4!

Thank you, PCNetSpec, for the good info.  I wasn't sure quite how this worked until your very clear explanation.  What you said make perfect sense to me.

Thank you.
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline mac

  • Veteran
  • ****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
Unable to locate the post just now but on the old forum PCNetSpec made a comment something like he'd be more secure running an unsupported Linux distro than a fully supported Windows OS.  He's right, of course.  You're fine with P4.  Also, unless your modem is something weird it provides firewall protection as do most routers. 
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline mac

  • Veteran
  • ****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
PCNetSpec's brilliant explanation of DNS in a visual format...
http://www.youtube.com/watch?v=2ZUxoi7YNgs
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Mac,

I remember reading that post too!  It was ages ago, and I, too, could not find it.  But remembering what PCNetSpec said,  and the spectacular functioning  of the two Peppermint 4 distributions we are using now, are the reasons I'm sticking with 4 for the time being.  And by the way time flees, Peppermint 5 will be here before we know it, and I bet it is going to rock.

I'm looking forward to the video. I'm certain it will be a brilliant presentation.  Thank you so much, Mac.

How I love this stuff!

perknh

P.S.

I just saw the video.  It was excellent.

« Last Edit: April 14, 2014, 11:49:20 am by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline mac

  • Veteran
  • ****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
 :)  You're welome.   I tend to retain more / better if I have something to look at. 
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 4013
  • Karma: 373
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Yes, me too.

And, Mac, I found the post we were looking for.  Here it is -- nabbed from the old forum, and it's fun to read again.

The question was asked by rmcellig.  Enjoy!

Post subject: Re: Is Peppermint 4 obsolete?New postPosted: Sun Mar 16, 2014 8:19 am
Offline
User avatar

Joined: Tue Apr 17, 2012 12:25 pm
Posts: 5521
Location: Cornwall, England   
IMHO you're more secure running ANY version of Linux (end of life or not) with no security measures than running Win7/8 with fully updated AV and anti-malware.

On a webserver - it's probably not advisable to run any critical web facing services on a dead distro, but I'd still feel safer than running a Windows webserver :)

_________________
Please be sure to sign up to the new Peppermint forum and post any new question there .. this forum will be made read-only on the 1st April 2014

You can read the announcement here:
http://peppermintos.net/viewtopic.php?f=6&t=6608
Or here's a direct link to the new forum:
http://forum.peppermintos.com
« Last Edit: April 14, 2014, 11:56:53 am by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline mac

  • Veteran
  • ****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
That's the one!  Thanks.   ;)
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline kendall

  • Administrator
  • Member
  • *****
  • Posts: 656
  • Karma: 133
  • Co-Founder
    • View Profile
For the sake of proper reference and archiving, I'm moving this to the Advanced topics board.
Peppermint is powered by VPS.NET Cloud Servers.