Re: DNS cache poisoning attack

From: Paul A. Wylie (pwylie_at_THEHUNTCORP.COM)
Date: 04/12/05

  • Next message: Abdelhakim Aliane: "Malicious Software Removal Tool"
    Date:         Tue, 12 Apr 2005 08:56:01 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I never posted a follow-up to this to NTBugTraq because I believed it had been rejected from the list.

    I have resolved my issue and I can now state the following unequivocally:

      * Windows 2000 SP3 and SP4 have the "secure cache from pollution"
        option enabled by default (see MS KB 316786), but are still
        vulnerable to poisoning in the scenario described below.
      * Users who have their Windows DNS servers configured to forward
        are vulnerable to poisoning because MS DNS servers ignore the
        "secure cache from pollution" setting when they forward.
      * BIND 4 and BIND 8 are immune to poisoning, but neglect to
        "scrub" poisoned results from responses they send to servers
        that forward to them.

    In other words, if your Windows server forwards to a BIND 8 server, you might get poisoned records from the BIND 8 server, and Windows DNS will trust those results, regardless of whether you've implemented the registry setting recommended in MS KB 241352, or are running Win2k SP3+ or Windows 2003 (any version).

    My problem was caused by this exact scenario. My DNS servers were configured to forward to my ISP's DNS servers. My ISP (AT&T) uses BIND 8. When I contacted them about this, they were unsympathetic and would only recommend that I cease forwarding to them. I have ceased forwarding to AT&T, and as far as I can tell, I'm now immune to the problem.

    For more info, see Kyle Haugsness's excellent writeup at the Internet Storm Center.

    http://isc.sans.org/diary.php?date=2005-04-07

    Also, see Kyle's initial report describing the problem (before the root cause was discovered):

    http://isc.sans.org/presentations/dnspoisoning.php

    Many thanks to the ISC team for thoroughly investigating this issue and delivering a resolution when the rest of the computer security community ignored it.

    -----Original Message-----
    From: Paul A. Wylie
    Sent: Friday, April 01, 2005 10:33 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: DNS cache poisoning attack

    Yesterday, I discovered that my clients were being redirected from some of their normally-visited sites to a malware server that purports to be in Laos (in the domain web-search.la). My DNS servers are running on Win2k Server with full patches (according to HFNETCHK). At the time, they were not configured as recommended in MS KB article 241352. I reconfigured the servers, restarted the DNS services and did not see any further DNS poisoning yesterday, so I assumed I had bitten by a problem of my own making.

    Today, however, I've discovered that the DNS cache poisoning continues, and a quick search for the domain web-search.la through Google reveals that the Internet Storm Center at SANS has been tracking this problem and recommends blocking all traffic to 216.127.88.131 and 218.38.13.108.

    You can read more at:

    http://isc.sans.org/diary.php?date=2005-03-30

    http://isc.sans.org/diary.php?date=2005-03-31

    Paul Wylie
    Network Systems Manager
    The Hunt Corporation

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Abdelhakim Aliane: "Malicious Software Removal Tool"