Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Spreads Malware

Posted by timothy on from the cold-hard-cache dept.

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

4 of 314 comments (clear)

  1. Re:If this is such a big deal... by Wizy · · Score: 5, Informative

    We have. This has been a known problem since early 1997. It is well documented in the IRC community (admins and coders.)

    Documents like this one from 1997: http://www.cs.rpi.edu/~kennyz/doc/unix/dns.spoof

  2. Re:windowsupdate.microsoft.com? by Anonymous Coward · · Score: 5, Informative

    Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.

    Automatic updates that are not signed and verified will not install.

  3. Re:How does it happen? by Anonymous Coward · · Score: 5, Informative
    There are a few ways. Off the top of my noggin:
    • If your target DNS server is running Microsofts DNS server, on W2K SP 1 or 2 (this may have been patched, I dunno), you can poison DNS using an alias. It's simple. You have to have control of a zone (say realzone.com) and a DNS server. You create a zone on your dns server under the name you want to poison, say example.com. Your DNS server thinks it is authoritative for the example.com zone. Next you create a host record in example.com that points to a host you control. In your real zone (realzone.com), you create a CNAME record for a host like spoof that points to hostname at example.com, like www.example.com. Then you point your local stub resolver at the target DNS server (most DNS servers will resolve for anyone by default). When you try to lookup spoof.realzone.com, the target DNS server will find your dns server. Your dns server will see that spoof.realzone.com is a CNAME for www.example.com and look that up. Since it thinks it is authoritative for example.com, it will ask itself, and returh that IP address to the target DNS server. Now it is in the targets DNS cache. Anyone who tried to resolve www.example.com from that DNS server will get the IP address of the host you defined in the example.com zone. Spoof!.
    • Another way is to sniff the traffic of the target DNS server and when it tries to resolve a host name, feed it the result of your choosing before the recursive query finishes. The first response wins, generally.


    There are probably other ways, but it isn't hard.

    The bottom line, DNS is an untrustworthy system.
  4. Re:How does this work? by Stuwee · · Score: 5, Informative
    From memory, classic DNS poisoning goes something like the following:
    1. Pick any DNS server which isn't authoritative for the domain which you wish to poison with the IP of your choosing. Something like your ISP's DNS server will work nicely.
    2. Send a legitimate DNS request to the server for a domain which is authoritative under a server you are in control of, and which your choosen server (and any in-between it and your own server) won't already have in its cache.
    3. When the request for the domain comes into your server, you have the sequence number which originated from your target DNS server. The idea with this sequence number is that your reply to the originating server contains the number, and hence the server knows which request is being replied to. Here is where the vulnerability comes in.
      Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
    4. Next up, make a request to your target server for the domain which you want to take control of. For this to work, your target DNS server must send out a further request for this domain. Since you have an idea of the sequence number which has been sent out with this request, you can now start flooding the target DNS server with false replies.
    5. The ultimate goal is that you will hit the correct sequence number with your false reply before the legitimate reply comes in, hence poisoning the DNS. Further requests to your target server within the record timeout (which you may specify yourself in your false replies, so they can last quite a while) will be replied to with a cached version containing your poisoned IP.
    6. Watch the requests come in for the content to your own IP, serve up appropriately.