Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

DNS Changer

Created: 13 Dec 2011 | 8 comments
Rick Bywalski's picture
Rick Bywalski
0 0 Votes
Login to vote

I am getting report from one of my security vendors that I may have a DNS Trojan loose in my network somewhere. Problem I am having is locating it. In theory SEP is on every machine in the company. Symantec is not giving any alerts on this. The firewall is showing the traffic as coming from a legit DNS server. What i suspect is that someone is bringing in a machine from home in an office that has no IT presense in it and hooking it into the network and picking up that server as its DNS server via DHCP. Questions

 

Does SEP detect DNS Changers and if so as what.

 

Any thoughts on how i can reveil the IP address of the machine that is causing the traffic.

 

 

I have had the server looked at and a security audit done on it by a 3rd party that I trust and they see not indication of an infection on the server.

Discussion Filed Under:
, , , ,

Comments

Swapnil's picture
13
Dec
2011
0 Votes 0
Login to vote
Swapnil
Accredited

Symantec Endpoint

Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
[SID: #####]

Yours just says "Denial of Service". This likely means it's being blocked by denial of service detection, not by signature. (Intrusion Prevention Policy > Settings > Enable denial of service detection)

Why not just include the IP as an excluded host? (Intrusion Prevention Policy > Settings > Enable excluded hosts, then add in your printer's IP)

http://www.symantec.com/business/support/index?page=content&id=TECH97176&locale=en_US

 

Additionally check the install guide

I have read some where there is an option to check DNS or DHCP record in sepm policies

http://www.upenn.edu/computing/virus/docs/sep/110x/Installation_Guide_SEP11.0.6.pdf

Swapnil

SOC Team .

Please don't forget to mark your thread solved with whatever answer helped you.

Marius Salay's picture
14
Dec
2011
1 Vote -1
Login to vote
Marius Salay

Hello, SEP will detect

Hello,

SEP will detect DNSChanger as Trojan.Flush.K or as Trojan.DNSChanger.

Have a look: http://www.symantec.com/security_response/writeup.jsp?docid=2007-011811-1222-99

 

regards,

Marius

Rafeeq's picture
14
Dec
2011
0 Votes 0
Login to vote
Rafeeq

hi

Enable Risk Tracer, u wil find the source

http://www.symantec.com/business/support/index?page=content&id=TECH102539

Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

FbacchinZF's picture
14
Dec
2011
0 Votes 0
Login to vote
FbacchinZF
Certified

Have you found out what was causing the traffic ?

Hey Rick,

 

Have you found the DNS changer ?

 

Please , tell us how and what have you found.....

James-x's picture
14
Dec
2011
0 Votes 0
Login to vote
James-x
Symantec Employee

Hello Rick, I'm a little

Hello Rick,

I'm a little confused by your original post, but I'll give it my best show.

It sounds to me that you're concerned that some of the machines in your environment may be using wrong DNS servers for DNS queries and that you think the cause of this may be a machine (or machines) on the network infected with a threat.

Can I ask what information led you to believe this? If it was a report from a security product (or security staff), then does the report list the hostnames or IPs of computers they believe are affected?

If you can get ahold of a machine having this problem, you can run the command ipconfig /all from the Command Prompt and can view the IP addressss of DNS servers being used by that machine. Once you know the IP addresses for the DNS servers (assuming they are on your network), then it should be fairly simple to trace the IP back to a MAC address. And once you know the MAC address, you should be able to locate the physical port on your network.

Hope this helps.

Regards,

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Rick Bywalski's picture
15
Dec
2011
0 Votes 0
Login to vote
Rick Bywalski

We think we found it its been

We think we found it its been 2 days so far since I got an alert.   We did see traffic the gave indications of the infections going to an IP addressa and port known to be used by this infection.   We narrowed it down to an office based off of time of day and week that it was happening and realized we only had one small office open at that time.   One user there was complaining of performance issues so we resorted of using several different scanners in addition to SEP and they found several infections that were removed.   With the office the user is in I have limited visability as it is currently configured hoping to change that in the coming months.

 

Mithun Sanghavi's picture
19
Dec
2011
0 Votes 0
Login to vote
Mithun Sanghavi
Technical Support
Accredited

Check this BLOG

Hello,

Check this Symantec BLOG: 

DNSChanger Fraud Ring Busted

https://www-secure.symantec.com/connect/blogs/dnschanger-fraud-ring-busted

Hope this is useful.

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3

Follow me on Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo

lamarrk's picture
01
May
2012
0 Votes 0
Login to vote
lamarrk

Are we safe from DNSChanger if we have Symantec ?

I've read the blog.  I've read about Trojan.Flush (1st identified in 2007). 

The question is:  Will SEP 11 and SEP 12 protect against the current DNSChanger risk?

Will it detect, delete, clean, quarantine, or what?

 

 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,009