Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Spreads Malware

Posted by timothy on from the cold-hard-cache dept.

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

19 of 314 comments (clear)

  1. How does this work? by bcmm · · Score: 2, Insightful

    Is this done basically by taking over insecure DNS servers or is something more subtle involved, e.g. making comuters treat your machine as their DNS server instead?

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  2. Let's Kill The Golden Goose by ackthpt · · Score: 5, Insightful
    Sure, internet click-thrus generate money, but when they get so invasive and destructive, they'll drive people way from the internet. I can't imagine any advertiser likes that idea.

    Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.

    --

    A feeling of having made the same mistake before: Deja Foobar
  3. Re:More reason to use Firefox by Anonymous Coward · · Score: 2, Insightful

    I bet that malware is Internet Explorer-specific.

    Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
    Oh, wait...

    Yes, the malware is almost certainly designed to install via IE, not other (better) browsers.
    Methinks the idiot here is the one who signed
    his post "Idiot"

  4. Djbdns - immune to DNS cache poisoning (?) by bad_outlook · · Score: 5, Insightful
    Anyone using Djdns? I've set it up on my home network server running FreeBSD to provide dnscache for all my boxes within 192* and thus far it's working perfectly. From Djdns' security page, it says that it's impervious to DNS poisoning:

    • "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."

      "dnscache is immune to cache poisoning."

    Djbdns

    While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.

    bo

    --
    bad_outlook
    --
    Is this vague enough for you?
  5. The most frightening part... by loopsandsounds · · Score: 5, Insightful

    If you read down the SANS presentation you come to this:

    The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.

    Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.

    --
    I was throwing you the 48, but you made me switch to the 132.
  6. Re:Home Is Where the Heat Is by Winterblink · · Score: 1, Insightful

    You want DHS to make sure your google surfing doesn't fill your computer with spam? You're actually more concerned about that than some terrorist blowing up a kindergarten or something? Your priorities are truly fucked.

    --
    "I'm a leaf on the wind. Watch how I soar."
    -Hoban Washburn
  7. Re:How does it happen? by jon3k · · Score: 4, Insightful

    Unprotected DDNS (dynamic dns registration, Microsoft loves this one)

    And also you can feed a slave server your own zone, based on the nameserver configuration, it will work (very rarely).

  8. Yet another example of Windows messing up by Paradox · · Score: 4, Insightful
    Ahh, Windows. People use it for servers too.

    From TFA:
    Basically, the UNIX-based stuff has been secure against cache poisoning
    for quite some time, but there may always be a bug or design flaw that
    is discovered. We are not quite sure why Microsoft left a default
    configuration to be unsecure in NT4 and 2000. (Exercise to reader:
    insert Microsoft security comment/opinion/joke here, but keep it to
    yourself).


    The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.

    Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.

    --
    Slashdot. It's Not For Common Sense
  9. Re:How to stop DNS cache poisoning by MikeBabcock · · Score: 2, Insightful

    Running dnscache which is much more intelligent about how it handles cacheable data than BIND is high on my recommendations list.

    --
    - Michael T. Babcock (Yes, I blog)
  10. Re:Home Is Where the Heat Is by stinerman · · Score: 2, Insightful

    If enough DNS servers get bad info, we may have a hell of a time getting most of the Internet back to a workable state.

    Imagine the reprecussions for national security and the economy if people were spoofing the NYSE or other important data center that distributes information that many people rely on.

    "Today the DJIA dropped 5,000 points, oil is trading at $200/barrel, etc."

  11. Re:simple by fimbulvetr · · Score: 2, Insightful

    Except that there is nothing to say that the 0 day server would have to even offer the person encryption (So the person wouldn't be prompted for an invalid certificate).
    Unless the person actually noticed the secure symbol missing from their browser, they would never know. I doubt many people notice this missing.
    Even if they did notice the secure symbol missing, it's likely they would think to themselves "Well, maybe it only shows up AFTER I log in.", in a case like that, they'd be a little too late...

  12. I've seen this by benjamindees · · Score: 3, Insightful

    For months now, since at *least* the first of January. It's mostly been google.com, redirecting to some odd webpage, but not any of the ones listed.

    I figured the problem is that I was pointing to an old DNS server for SBC. They won't give you the IPs of the new DNS servers unless you fire up their awful PPPoE program. We use Linux, and this incident has been an excuse to remove the last few Windows computers from the network. It'll probably also be an excuse to rid ourselves of SBC's horrendous services.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  13. Re:April Fools Idea by Anonymous Coward · · Score: 1, Insightful

    Might be that the 3. Profit!!! joke has been made so many times on Slashdot that it is implicitly redundant. Not an invalid point of view.

  14. Re:More reason to use Firefox by menkhaura · · Score: 2, Insightful

    Yes.

    What was written in that dialog again?

    --
    Stupidity is an equal opportunity striker.
    Fellow slashdotter Bill Dog
  15. Re:April Fools Idea by stratjakt · · Score: 2, Insightful

    How about not modding it at all, and perhaps replying with correct information? You know, dialogue, the exchange of ideas and information.

    I know you get a smug sense of self-satisfaction by just stamping "WRONG!" and wiping your hands of it, but that doesn't help anyone.

    You don't have to use your points on the first posts you see.

    --
    I don't need no instructions to know how to rock!!!!
  16. Re:More reason to use Firefox -- Yeah by gru3hunt3r · · Score: 4, Insightful

    DNS poisoning is not new. Using it for fraud is new. Defending against it (if you're Google) is difficult, but not impossible.

    I swear -- Technical people need to stop addressing these problems with solutions that are technically elegant but unrealistic.
    Yeah, lets secure all the nameservers on the Net! sure that'll work. Hell, we've only been doing DNS poisoning attacks for what? 12 years or so? hey well at least we finally got sendmail secure. Doh!

    The only way we're going to be able to stop bad guys is to start having applications that use more than one protocol to verify integrity AND start building in stronger indepedent crypto behind the scenes making it much much much harder to spoof. You don't have to change the whole protocol stack we just need to share more information across protocols. Right now, when you compromise one protocol, you own the box. Aiiee!

    I'm actually happy this happened -- because I've felt the Net needed a big overhaul for a while. My parents can't safely use the Internet, neither can yours. And all us gunslingers who could keep them safe are too busy securing our damn nameserver, and dealing with joe jobs to do anything about it. The solution requires a more comprehensive look at the problem.

    If the bad guys are specifically targeting google with DNS poisoning, it's reasonable to assume it will undermine peoples faith in Google. (ATTENTION FLAMERS: YES, I am aware the request was hijacked long before it got to Google -- but the end user won't be because they don't have a clue what DNS stands for or how it works).

    Seriously - your mom/dad would take away from an explanation of DNS hijacking was "Go to google, get a virus" (read the previous article posted earlier today about how people don't understand technobabble) ..

    Does anybody else besides me find this whole thing incredibly ironic? People will see Google as being the problem, even though it's almost definitely Microsofts fault. Damn.. sucks to be Google. (Okay, yeah.. honestly i'd love to have Googlesque problems, but also the Googlesque resources to solve them!)

    Anyway I think this sort of article hopefully illustrates to Google why they need to start promoting a secure browser WHICH isn't subject to malware attacks such as IE really is in their best interest -- and although it has a minimal cost impact to them, it has a huge long term impact to the net community. Honestly, I believe if Google offered a "safer" online experience -- i'd put my parents on it in a second, I think everybody here would too. I don't trust Yahoo, MSN, Ask Jeeves, etc. or any of those companies with the tender care of my parents Internet experience.

    I say Google - rather than just "firefox", because if Google put Gbrowser on their homepage you know it'd have a 30% usershare virtually overnight -- maybe more. They install the google toolbar, it transmits information about where you're surfing to google -- BUT it also checks with Google to make sure you're at a "safe site" --

    OKAY so you want a real example -- how about a simple one -- why not a modified robots.txt with an entry that included a list of the valid IP's for the SOA for your root domain for the next 30 days. Boom, they already pick up robots.txt -- BUT now they can authenticate that the DNS wasn't posioned using google toolbar. Sexy huh?

    I've got lots of ideas like this -- there are probably 5 things sites could *OPTIONALLY* do, that merge application stacks -- but at the same time it would make it necessary for a phiser to compromise MULTIPLE hosts, across MULTIPLE protocols -- thereby making it *statistically* impossible.

    (NOTE: If I seem brilliant it's only because i'm standing on the shoulders of Giants. I love how SPF uses DNS to authenticate mail servers -- it's non-intrusive, but an illustrative example of the types of solutions that we as a technical community need to solve problems)

  17. Google Sponsored Ads for Firefox/Spybot are scams by quokkapox · · Score: 2, Insightful
    Last week I recommended Firefox to one of my clients. He Googled for "firefox". First actual result would have correctly taken him to getfirefox.com, but he chose to click on the Sponsored Ad, which takes you to www.freedownloadhq.com - who offers "free Firefox downloads" for $19.95.

    He said "Hey, I thought it was supposed to be free, but they're asking me for my credit card number!" He quickly realized it was a scam site, but many others will not.

    Perhaps this is also what you friend did. I just googled for Spybot Search and Destroy, and the first sponsored ad is for noAdware.net which itself is spyware.

    There's no incentive for Google to prevent this because they're making money. I wonder if slashdotters could nickel-and-dime the scammers to death. Firefox costs ~ $0.10, Spybot ~ $0.20. Let's try, firefox and spybot - click all the scam Sponsored Ads you see. Repeatedly if desired.

    --
    it's a blue bright blue Saturday hey hey
  18. DJB Says by illuminatedwax · · Score: 2, Insightful

    I told you so!

    Time to stop running BIND and Windows, people.
    djbdns is easier to set up by leaps and bounds, anyway.

    --
    Did you ever notice that *nix doesn't even cover Linux?
  19. Re:Question by Anonymous Coward · · Score: 1, Insightful

    In the case of opera, most phishing sites dont work. :)

    Sadly, neither do most legitimate online banking sites. :(

    /Opera user since v3