DNS attack could signal Phishing 2.0
Researchers at Google and the Georgia Institute
of Technology are studying a virtually undetectable form of attack that quietly
controls where victims go on the Internet.
The study, set to be published in February, takes a close look at "open
recursive" DNS servers, which are used to tell computers how to find each
other on the Internet by translating domain names like google.com into numerical
Internet Protocol addresses. Criminals are using these servers in combination
with new attack techniques to develop a new generation of phishing attacks.
The researchers estimate that there are 17 million open-recursive DNS servers
on the Internet, the vast majority of which give accurate information. Unlike
other DNS servers, open-recursive systems will answer all DNS lookup requests
from any computer on the Internet, a feature that makes them particularly useful
for hackers.
The Georgia Tech and Google researchers estimate that as many as 0.4 percent,
or 68,000, open-recursive DNS servers are behaving maliciously, returning false
answers to DNS queries. They also estimate that another two percent of them
provide questionable results. Collectively, these servers are beginning to form
a "second secret authority" for DNS that is undermining the trustworthiness
of the Internet, the researchers warned.
"This is a crime with few witnesses," said David Dagon, a researcher
at Georgia Tech who co-authored the paper. "These hosts are like carnival
barkers. No matter what you ask them, they'll happily direct you to the red
light store, or to a Web server that does nothing more than spray your eyeballs
with ads."
Attacks on the DNS system are not new, and online criminals have been changing
DNS settings in victim's computers for at least four years now, Dagon said.
But only recently have the bad guys lined up the technology and expertise to
reliably launch this particular type of attack in a more widespread way. While
the first such attacks used computer viruses to make these changes, lately attackers
have been relying on Web-based malware.
Here's how an attack would work. A victim would visit a Web site or open a
malicious attachment that would exploit a bug in his computer's software. Attackers
would then change just one file in the Windows registry settings, telling the
PC to go to the criminal's server for all DNS information. If the initial exploit
code was not stopped by antivirus software, the attack would give attackers
virtually undetectable control over the computer.
Once they'd changed the Windows settings, the criminals could take victims
to the correct Web sites most of the time, but then suddenly redirect them to
phishing sites whenever they wanted -- during an online banking session, for
example. Because the attack is happening at the DNS level, anti-phishing software
would not flag the phoney sites.
Or an attacker could simply take complete control over the victim's Internet
experience, Dagon said. "If you look up the address of a Christian Science
Reading Room site, they'll point you to skin exotica," he said. "If
you ask where Google.com is located, they'll point you to a machine in China
selling luggage."
"It's really the ultimate back door," said Chris Rouland, chief technology
officer with IBM's Internet Security Systems division. "All the stuff we've
deployed in the enterprise, it's not going to look for this."
Rouland expects to see more of these DNS attacks launched from Web 2.0 sites
in the coming months, because they make it very easy for people to "mash
up" Web pages from many different sources -- some of whom may be untrustworthy
"This is truly the next generation of phishing," he said.
Preliminary findings by Dagon's team shows that the Web is an important vector
for these attacks. Using Google's network of Web crawlers, researchers uncovered
more than 2,100 Web pages that used exploit code to change the Windows registry
of visitors.
The team's paper, entitled Corrupted DNS Resolution Paths, is set to be published
at the Network and Distributed System Security Symposium (NDSS) in San Diego.
It is co-authored by Chris Lee and Wenke Lee, of Georgia Tech and Niels Provos,
a senior engineer with Google.
Last year Dagon and Wenke Lee, founded a startup called Damballa Inc., which
is developing ways to protect against these types of attacks.
Damballa, which bills itself as an anti-botnet appliance vendor, can identify
compromised machines by tracking whether or not they are communicating with
DNS servers that are known to be malicious.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
