DNS Cache Poisoning Spreads Malware

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

How does it happen?

[caluml]

I've not really looked into it, but how do you go about poisoning DNS?

Re:colored alerts

[delta_avi_delta]

You know the British secret service use color coded bikini's for terror alert levels. Black-Special Bikini has got to be the coolest alert level around :)

Home Is Where the Heat Is

[Doc+Ruby]

Isn't this kind of attack on the global Internet exactly the kind of thing that Homeland Security's "Cybersecurity" department is responsible for stopping? What are we paying them billions of dollars, and suspending our liberties, to do? While we're at it, what's the difference between National security, Homeland security, and Defense? Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?

Re:Home Is Where the Heat Is

[notthepainter]

The attacks on the WTC towers were not designed to kill people. Yes, they did do that, and an awful lot of people were killed.

The attacks on the WTC were an economic attack, and as such, were exceptionally successful. Witness how much has been spent in Afghanistan and Iraq since then. The attacks on the WTC towers were a liberty attack, and as such, were exceptionally successful.

If Osam bin Laden wanted to kill a lot of people, he could have found far better ways to do it, but that wasn't his goal.

Sadly, the present administration has played right into his hands. And that is sad.

Don't get me wrong, it is a tragedy that those people died. But that wasn't his goal.

So yes, one of the real jobs of the DHS is to protect the economy. Very odd that, but true nonetheless.

(and yes, I did lose a friend on the plane that went down in PA..., not that that would change my viewpoint.)

Re:April Fools Idea

[dAzED1]

the mod adjectives have needed to be changed for years. What do you do when someone isn't flamebait or trolling, they simply don't know what they're talking about? Mod them "overrated?" But what if they're only a 1 or 2? There are other problems. I generally have a pretty damn hard time modding most posts. I don't know how I spent as many points as I used to have.

Funny How Easy this is to prevent

Damn, if only I had checked the "turn on security" box!!

From MSFT (http://support.microsoft.com/default.aspx?scid=kb ;en-us;241352)

NOTE: On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:

1. Open DNS Management Console by clicking Start, Programs, Adminstrative Tools, DNS.
2. Right click on the server name in the left window pane.
3. Choose Properties.
4. Choose the Advanced tab.
5. Place a check in the box "Secure cache against pollution".

Re:April Fools Idea

[afd8856]

I also had your problem. I've decided to give up on moderation and read slashdot at -1
There are a lot of interesting things to be said at that level, too :)

Re:windowsupdate.microsoft.com?

[The+Bungi]

It's interesting that when Peter Torr brought up the issue of Mozilla not signing their packages he was massively flamed by all the retard fanboys, who of course got wind of his "criticism" from the ever-helpful Slashbork.

Shortly thereafter, Mozilla mysteriously started signing their packages.

I wonder who would have gottern flamed if someone had trojaned a few million Firefox users using this method. Ah well, we all know open source is perfect, so this type of speculation is pointless.

Bah!

I submitted this story on Friday, April 1st, but Slashdot was too damn busy with April Fool's pranks to publish it. It got rejected within minutes.

That's when I realized the Slashdot editors are more interested in peurile humor than in actually notifying their readers of important information that could save them headaches, time and money.

SANS vs. the rest of the security community.

[tsu+doh+nimh]

Washingtonpost.com is running an interesting story about how SANS is really the only major player in the security community that is making any noise about this.

...(snip..)

...."But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks.

Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."

Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."

All of this may seem like an academic debate to those who claim to have been victimized by these attacks.

On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.

"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.

John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.

In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.

Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)

"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."

Re:SANS vs. the rest of the security community.

[httptech]

The problem is, by hijacking high-traffic sites, they get noticed fairly quickly. Plus the servers they hacked to host their fake search engine could barely keep up with the load, making all the extra traffic futile.

If they had kept a lower profile they probably could have gotten away with the hijacking indefinitely - but these guys don't think long-term (fortunately for us). And it looks like they've stopped the hijacking for now, probably only due to the attention they've gotten in the press in the last week.

Re:Yes and no.

[MikeBabcock]

Opportunistic encryption (ipsec) enabled for all root DNS servers would be a nice start. Published keys, etc.

At least then we'd know the root data was from the roots.

Re:Admin vs User

[tokabola]

C.E.R.T. (Computer Emergency Response Team) is the agency you're thinking of. They probably have said lots about this and nobody listened. Just like when they warned people to use any browser besides Internet Explorer, yet if you go to any library and check the public access terminals, or into any government agency and check, you'll still see IE on ALL of them.

I myself don't want the US government (or any countries government) in charge of the internet - Governments can't be trusted not to abuse any authority they get. They always have, and until humans are much, much wiser than we currently are they will continue doing so.

Tommy

FTA

[bitswapper]

"(Basically, the UNIX-based stuff has been secure against cache poisoning for quite some time, but there may always be a bug or design flaw that is discovered. We are not quite sure why Microsoft left a default configuration to be unsecure in NT4 and 2000. (Exercise to reader: insert Microsoft security comment/opinion/joke here, but keep it to yourself)."

mmphm...!

Re:Djbdns - immune to DNS cache poisoning (?)

[bad_outlook]

Good points, I do not have FORWARD_ONLY set, and I am using the default DNS list in ../servers/@ that was in there when I installed. I am wondering if I should add my DNS servers from my ISP (Speakeasy) to the top of that list, or just leave them out altogether. Docs on multiple sites were not specific about this. Advice? Which is safer?

bo

Study shows it could be much worse...

[Timothy1965]

A group of researchers at Cornell looked at the DNS poisoning problem (article here) and found that

• many names were vulnerable to DNS poisoning because they depended on lots of nameservers. Some names in some country-code TLDs, like the Ukraine, were depending on 600+ nameservers.
  
• some key nameservers controlled a large portion of the namespace. Compromise one of those nameservers, and you can hijack a lot of domains.
  
• some crucial names were not protected well. For instance, fbi.gov could be hijacked!
  

Easy way to get on the FBI's most wanted list. You try to hijack fbi.gov, and you'll end up on the most wanted list even if you fail.

Re:Question

[Ryosen]

>>In the case of opera, most phishing sites dont work. :) Sadly, neither do most legitimate online banking sites. :(

My bank works just fine with Opera and has since v6, when they introduced the service. Granted, I don't have an animated paper clip to help me along with the arduous task of checking my balance, but that's the sacrifice that I am willing to make for a browser that works.

In Opera's defence, making a product that adheres to Web standards and doesn't encourage the continuing bifurcation and blatent disregard for standards that Microsoft's Internet Explore-Embrace-Extend-er does, isn't necessarily a bad thing.

The only sites that I have had any problems with are those that require ActiveX controls (which, I'm relieved to see, are becoming fewer) and extended JScript commands that are used to manage some dynamic menu effects which are mostly useless to begin with. If my dynamic menu scripts can work in all browsers, there's no reason why others can't, too. Well, other than ignorance and laziness...