back to article Rogue servers point users to impostor sites

Researchers have uncovered a large network of rogue servers that threatens end users by silently feeding them counterfeit versions of trusted websites. It's the internet equivalent of a telephone directory service intentionally giving an incorrect listing when someone asks for the number for Bank of America. Instead of …

COMMENTS

This topic is closed for new posts.
  1. Colin Wilson
    Coat

    Smitfraud has been doing this for a while

    I suspect this will become a much more common attack vector in the future (along with rootkit-alike hacks), given that most malware is now network aware, and automatically updates itself to keep one step ahead of the AV / Anti-Spyware companies.

    Perhaps we need some sort of "master" DNS server system for financial institutions, which must authenticate results from a non-master DNS server's results.

    In the short term, perhaps banks should give out their actual IP address on any statement, with a small explanation why they no longer give out "human readable" web addresses.

  2. Nexox Enigma

    Finally!

    There seems to be a good reason for the effort I spent getting my router to silently proxy all DNS requests through my dns server!

    So long as the malware can't hop through and get root on my router then I think my entire lan should be safe!

  3. Gordon Fecyk
    Boffin

    I'm a little confused with "Open Recursive" DNS servers; someone explain?

    Notably, I understand Recursion is an important feature that lets DNS servers, that aren't otherwise authoritative for a certain domain, perform and cache lookups for said domain and other domains.

    I've had one client complain to me that a Win2K DNS server supported Recursion and therefore was some kind of security risk. But I go to turn Recusion off, and the Internet breaks completely -- no lookups outside domains with the client's network. So I go turn it back on.

    Now when I heard about DNS cache pollution I began poking into caches on a regular basis looking for obvious irregularities (microsoft.com pointing to a Chinese network for instance) and didn't find any. And I know MS and the BIND authors have patches for their implementations of DNS preventing cache pollution.

    But since when is Recursion by itself a major problem? I'm confused. Someone shed some light please? And do use English if possible...

  4. Lance

    @ Colin Wilson

    Many sites have more than on IP address. Many sites have more than one server. Many sites or housed at more than one location. Publishing an IP goes against what DNS is for!

  5. Sabahattin Gucukoglu

    Dangers of DNS

    This article is just not helping my brains at all. How did the user get the malware in the first place such that their resolvers were subverted? Certainly, not through a nameserver - it would have to be some other way that the user was sent to get it first, from an "Address" running - what, a web server that is being referenced by other rogue DNS servers? Why on earth are bad DNS sites in any way needing to be recursive? And how many open hosts were real bad, and how many just weak and cache-corrupted for evil? And last of all, where did they get these impressive figures - scan of the entire net's nameservers for answers to the address lookups of the vast majority of known-scammed sites? Nope, I need the paper.

    @Gordon Fecyk, re recursion: there's nothing wrong with recursion as such (some servers are deliberately configured to be open in spite of potential cache poisoning); like you say, you kinda need it. The rest of the world doesn't, though, so you'll have to somehow get your nameserver only to answer recursive queries from given netranges - those owned/operated by your clients. Running your own caches really is a very sensible thing to do, and is good to the net.

    The reason recursion is a "Risk" has more to do with the fact that DNS is a stateless protocol running on UDP. It usually takes just one UDP packet in both directions from query source to nameserver and back to get a recursive DNS query answered (and that's in total if the server need not chase up). Apart from the obvious fact that you don't want anyone that doesn't need your resources to get the benefits of your caches' RAM/CPU when you're following the recursion every time you get asked about places you've never heard about, opening recursion to everyone means giving a potential bad person the ability to cause your nameserver to make outbound queries whose results will be cached on the attacker's demand. (He may, in fact, be able to do this already, for instance by connecting to a service that does RDNS checks or sending mail so that an MX lookup is performed as part of the antispam check, but at least he usually can't make too much out of that when his goal is taking over your web browser.) Obviously, his idea is that you take the word of authority from the attacker as response to your nameserver's question, not data from the legitimately authoritative host, and then cache it for a suitably lengthy time (the time to cache the record is in the TTL field of the record the attacker forged, rather helpfully). If your attacker is on the same physical network as your nameserver, he can simply race a response to its queries before the genuine response gets in. And he can answer on behalf of your nameserver when it is queried from outside - so he can replace your web pages and take your incoming mail. If the attacker is not on your network, weaknesses in the randomness of certain aspects of generated packets (IP source port and query ID) can be learned by experimentation of an attacker - perhaps by making your nameserver query one under his control - and the suitable response to a malicious query (one for which the attacker actually wants you to cache bad data) anticipated and forged in the genuine server's address (this is much, much harder though; the patches for BIND were fixing exactly this kind of weakness - namely, by copying better code from BIND 8 into BIND 9).

    In summary: best not allow recursion when not necessary. It really makes sense. For local attackers, it's just asking for trouble - not that they haven't got other, much more result-giving alternatives to try (ARP spoof ...) in case that doesn't work. But if your nameserver is isolated somewhere near a border, attackers are still possibly able to do bad things - fill up your RAM and maybe poison you.

    I know it was barely English, but I hope that helped!

    Cheers,

    Sabahattin

  6. Glen Turner

    Recursion and security

    Hi Gordon,

    To answer your question about recursion.

    There are two types of DNS servers: authoritative and forwarding. You use an authoritative server to define records, such as all of the DNS records for example.edu.au. You use a forwarder to send host queries forward into the Internet's authoritative servers.

    Forwarders need to implement recursion. That is, given the name www.example.com.au they should return an IP address even if this means first looking up "au" at a root server, then "com.au", then "example.com.au", then "www.example.com.au". The design choice to place recursion on the forwarder rather than on the hosts was to avoid the implementation overhead of programming recursive lookup on all hosts -- they do a simple DNS query of the forwarder and the forwarder does all of the complex stuff.

    Forwarders should restrict the IP addresses for which they offer forwarding. This protects the Internet and the forwarder against DNS-based DoS attacks and protects the DNS forwarder from cache poisoning by persons unknown.

    Authoritative servers should not implement recursion -- a DNS server for "example.edu.au" should not be asked questions about "example.com", and if asked such questions it should deny the query. There is one edge case, the server should recurse for www.faculty.example.edu.au if it is also the server for example.edu.au.

    You'd think this would be easy to configure, and given enough machines it is. But many small networks run just one computer for all services: they certainly don't want to go and buy another server just to have distinct forwarders and authoritative servers. So complex DNS servers offer a feature that allows queries from inside the organisation to use a view which implements forwarding and recursion, and queries from outside the organisation to use a view which implements a non-recursive authoritative server.

    Let's review that. Large sites with many experienced IT staff prefer simple configurations. Small sites with inexperienced IT staff prefer complex configurations. The result, an Internet full of misconfigured DNS servers.

    What this paper implies is that enterprise networks should block DNS traffic which uses forwarders outside of their network. This is easily done. The firewall policy I wrote in AusCERT AL-1999.004 will do the job and contains secure BIND configurations too.

    Merry Christmas, Glen

  7. Kevin

    In response to Lance

    "Publishing an IP goes against what DNS is for!"

    Actually, the purpose of DNS is so you can enter a human readable address, rather than an IP address to get to a website. And no, DNS servers do not handle the load balancing of your web server farm/cluster. DNS will resolve a human readable address to one IP address. The balancing is handled internally, as is the resolution of sub-domains for the big ones. www.google.com will pull up one IP from the DNS servers. Mail.google.com is probably resolved by a google DNS server that received a question for the mail. portion of the known google.com.

    Interestingly, this is not the first example of name resolution being used to trick people. In a much more devious manner, Best Buy had an internal web page that matched their publicly available website but with different prices. So, when you go to the store and say you saw this TV at this price online, they can pull up the "internet" and show that you are wrong, when in reality they are pulling up an intranet mirror. They will ask to go home and print it out to prove it. They were caught and have played dumb, we'll see what happens. It should be criminal, but it probably won't some to anything more than a "stiff" fine and a hit in the court of public opinion.

  8. Anonymous Coward
    Boffin

    Re: In response to Lance

    What a bad choice of example... "www.google.com will pull up one IP from the DNS servers"

    I'm sorry, but that's just plain wrong... it will return one or more IPs from a pool (it's returning 3 to me, changing each time), which is a simple form of load balancing... it's not a reliable form of load balancing, but it can be enough to ensure that some traffic goes to datacentre 1 and some to datacentre 2

    They probably have proper load balancers on each of the returned address (we know that google has literally hundreds of servers!), but DNS round robin is a simple first layer.

  9. The Sceptic
    Stop

    My 2 cents worth on Microsoft DNS\HTTPS security

    Internet Explorer is inherently flawed when it comes to redirection - especially to secure sites accessed through DNS. Goto anyone of their sites almost (hotmail.com) from IE and it goes straight in - try it from another browser (Firefox) and you will get a warning stating the certificate is not actually for that site but another Microsoft site - Why does IE not highlight this?

    Certificate Authorities provide such basic information relating to their certificates that in the end it comes down to guess work to proceed or not. They defeat the purpose of the certificate almost and as in our global economy are happy to sell to anyone who provides any details as long as they pay with minimal checks - again defeating the point.

    This isn't a new practice, our organisation have utilised this our selfs when a server crashed & one had to be put into place quickly - it the way of the world in production environments but the service providers who grant access to the individuals who do this un monitored should be held accountable as should the authorities investigate the matter.

  10. Duncan Hothersall
    Stop

    Wait a minute

    Maybe my DNS has been compromised, and that is why when I read news sites I keep getting made-up stories about terrorist plots interspersed with normal news, to try to subdue me with fear. Very clever! I better go and check my settings...

  11. shane
    Go

    in response Gordon Fecyk open recursive

    A open recursive DNS server is a DNS server that will perform recursive queries for any client anywhere. For example some major ISPs DNS servers will accept dns queries from any public IP address not just their customer's ips. It isnt a proper implementation of DNS as it leaves DDOS and cache poisoning easier to perform

  12. Stu
    Dead Vulture

    Affected customer base? figures?

    It seems to me this article is pretty scare-mongery - There aren't any real facts in there about how prevalent this problem is.

    For instance, my ISP provides me with my DNS server - are you actually saying that there are servers higher up in the hierarchy underneath the root servers that serve MY DNS server, and hence me, with bogus website addresses?

    Does it only affect certain ISPs or even whole internet backbone providers?

    I suspect that this only affects people who have either had their PCs hacked and have had static entries put in their HOSTS file, or have local DNS servers compromised, or people who normally reconfigure their DNS for other purposes and dont use their ISPs DNS Servers.

    Lets have some more info about how this works in practice shall we El-Reg?

    Cheers.

    I would wager this Dagon character doesn't say, and doesn't really know.

  13. Drew
    Alert

    You're all missing the point!

    This article is about a CLIENT vulnerability!

    The malware is changing the DNS setting at the CLIENT (Windows) to make the CLIENT query the WRONG DNS server. You can secure your DNS server to the point of unplugging it and locking it in a bank vault 5 miles underground and it won't fix this problem. All of the servers are functioning as intended and designed (including the "bad" ones).

    Sure, there are DNS server vulnerabilities (some highlighted above) but THIS IS NOT ONE OF THEM.

    "The malware ... typically involved a single line of code"

    Only Microsoft can fix this, not the sysadmins for 17,000,000 DNS servers.

  14. Anonymous Coward
    Jobs Halo

    Are they really saying.....

    that all malicious code has to do is replace the exiting resolv.conf (linux/unix variants) or the relevant windows file with bogus nameservers?

    This would mean that the 'bogus' namesevers only have to maintain a relevant record for sites they want to spoof i.e.

    www.mybank.com CNAME www.dodgysite.com

    and a forward all other requests to perfectly valid DNS servers. The client machine would then be directed to the dodgysite everytime he requested the DNS info for www.mybank.com. A fairly easy trick I suspect.

  15. Anonymous Coward
    Paris Hilton

    Confused :-| ...a cry for help.

    "They found hundreds of addresses every week that triggered malware that silently changed configuration settings so operating systems, unbeknown to the users, would use the rogue DNS lookups instead of trusted ones."

    @ El Reg: Were you trying to fit the whole essence of the story into one sentence? Why?? I don't understand!

    What I'm guessing all that means is something along the lines of:

    "Malware exists which subverts the host OS's DNS system. People who's machines have *already* been infected with such malware have certain DNS lookup queries routed to rogue DNS servers, possibly resulting in them being invisibly directed to phishing sites and the like."

    Am I right so far?

    Is the malware dynamically routing DNS lookups based on the query string, rather than the standard approach of adding a rogue entry to the HOSTS file? Perhaps to allow ongoing management of the ip addresses the targeted queries get resolved to? Cunning.

    So far so good, I hope! What about the "they found hundreds of addresses every week that triggered malware" bit though? What on earth does the time frame refer to?

    Is it something to do with the rate at which the research was conducted? Did the researchers uncover hundreds of targeted domains during every week of the investigation?

    Or did the researchers discover hundreds of DNS lookups are being directed to the rogue servers every week?

    Or did they discover that hundreds of new, previously un-targeted DNS query strings are being routed to the rogue servers every week?

    Or any number of other interpretations.

    I think I'm seriously confused (QED), can someone please explain to me what this story is all about.

    Am I missing the point entirely?

    I feel like a Paris Hilton at CERN

  16. Gordon Fecyk
    Boffin

    "Open Recursive" defenitions and thanks

    "A open recursive DNS server is a DNS server that will perform recursive queries for any client anywhere."

    So this is what people worry about when they say they can use someone else's DNS server to do lookups.

    Yes, a lot of smaller houses will use as few as two DNS servers, and those servers are often used as both forwarders (and as caches) and as authoritative servers for whatever domain their staff administer. Most DNS servers, BIND included, support this upon installation.

    This could possibly be a bandwidth problem if an unauthorized outsider starts using one's DNS server as a forwarder, but unlike open SMTP servers, using someone else's DNS servers seems like a "victimless crime."

    I have a feeling I'm gonna get hatemail on that last statement so I'll try to clairify... ideally it seems, if you're hosting your own domain and you want a local recursive DNS server, you want two DNS servers at the same site - one hosting the domain and one doing client forwarding and recursion. Barring that, you want a DNS server that can permit forwarding and recursion for authorized client machines only, but still respond to authoritative requests from the outside regarding your own domains.

    ...I think.

    Still, I don't believe an "open recursive" DNS server, by itself, is a major threat to the Internet as a whole. Cache pollution on a recursion-supporting server I can understand, but that's been addressed several patches ago on multiple implementations of DNS. Maybe it's a threat to one's bandwidth and therefore a DDOS target (but HTTP is a DDOS target too) but unless a client's ISP is deliberately being subversive with regards to DNS, I don't see a tangible benefit to using someone else's DNS server for lookups compared to using your own or using your ISP's. If anything, lookups would take much longer.

    In other words, I can pretend to be gordonf@microsoft.com in e-mail if Microsoft left an open SMTP server running, but I can't pretend to host www.microsoft.com on my own machines, and expect people to believe me, just because Microsoft might have two or three open recursive DNS servers that are also authoritative for their domain. At least not any more with cache pollution having been addressed.

  17. joe

    I would imagine

    that the malware writes to the host file on Windows or possibly changing the TCP/IP properties on the host. I agree, a bit of clarification would help though.

  18. Dan Goodin (Written by Reg staff)

    Sorry about the confusion

    Based on the number of comments saying the article is confusing, it's obvious we could have done a better job explaining things. Essentially, XXX is correct when writing:

    "This article is about a CLIENT vulnerability!

    "The malware is changing the DNS setting at the CLIENT (Windows) to make the CLIENT query the WRONG DNS server. You can secure your DNS server to the point of unplugging it and locking it in a bank vault 5 miles underground and it won't fix this problem. All of the servers are functioning as intended and designed (including the "bad" ones).

    "Sure, there are DNS server vulnerabilities (some highlighted above) but THIS IS NOT ONE OF THEM.

    "The malware ... typically involved a single line of code"

    "Only Microsoft can fix this, not the sysadmins for 17,000,000 DNS servers."

    The client vulnerability generally works by changing a single registry setting, rather than altering a victim's hosts file. During any given week while the study was being conducted, the researchers found hundreds of URLs pointing to exploits.

    The questions about recursion and authoritative, vs forwarding DNS servers are beyond my ken, I'm afraid, so I won't touch them.

  19. Glen Turner

    Oh dear

    Dan,

    Whilst it is a client vulnerability, enterprise networks can easily protect their machines. Simply block DNS traffic which does come through the expected forwarder. Then the malware leads to failure rather than to further subversion. The firewall records the addresses of the infected PCs.

    ISPs could do the same, and will need to in the long run when DNS-based DoS attacks become more popular. This won't make some users happy.

    The other journalistic question to ask is why DNSSEC has taken so long to be deployed by the major registries. This is exactly the sort of behaviour that DNSSEC guards against.

    Gordon,

    An open recursive DNS forwarder isn't a "victimless crime". As I documented for AusCERT such a server can be used as a bandwidth multiplier for a denial of service on a third party -- recall that DNS responses are much longer than DNS queries. DNS DoS attacks are difficult for that third party to defend, since traffic shaping incoming DNS throws away good DNS traffic too and DNS retry timeouts are so large that users see very poor performance.

    DNS sysadmin practices are very poor. You will see more DNS-based attacks as DNS is currently the soft target of the Internet infrastructure.

    Best wishes, Glen

This topic is closed for new posts.

Other stories you might like