New Domain Poisoning Attacks Microsoft Servers

TechWeb ^ | April 6, 2005 | Gregg Keizer

[Eagle9]

The DNS cache poisoning that first struck more than a month ago and led to users being redirected from popular Web sites to malicious sites that infected their machines with spyware, is continuing, said the Internet Storm Center (ISC) Wednesday. The attacks are taking advantage of vulnerabilities and design flaws in Microsoft server software.

DNS cache poisoning occurs when an attacker hacks into a domain name server, one of the machines that translate URLs such as www.techweb.com into the appropriate IP address. The attacker then "poisons" the server by planting counterfeit data in the cache of the name server. When a user requests, say, techweb.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser and the user is directed to another Web site, not the intended destination.

To highlight the danger, the ISC raised its Homeland Security-esque alert color code from Green to Yellow. According to ISC, Yellow represents that "we are currently tracking a significant new threat. The impact is either unknown expected to be minor to the infrastructure. However, local impact would be significant."

To set the DNS cache poisoning threat in perspective, Yellow is the same alert color code that ISC used during the SQL Slammer, MSBlast, and Sasser worm outbreaks, three of the nastiest in the last two years.

The newest attack, said Kyle Haugsness, one of the ISC analysts, is actually the third since March 4. Like the initial attack, the motivation is certainly money, since the result is again the installation of mass quantities of spyware on victims' PCs.

"The motivation for these attacks is very simple: money," Haugsness said. "The end goal of the first attack was to install spyware/adware on as many Windows machines as possible."

The second attack, he continued, "seems to have been launched by a known spammer," said Haugsness. That second attack, which took place starting March 24, redirected users from legit sites to sites selling prescription drugs.

Initially, Haugsness and the other ISC analysts thought that a DNS cache poisoning attack was beyond the skills of most spammers -- and so might be proof that the original attackers were contracting their services, but now he said "they might be completely unrelated. In fact, one of the things we discovered after looking into these attacks is just how easy they are to carry off."

The third, and still-ongoing attack, which began March 25, has the same goal -- install spyware -- as the first, said Haugsness. One of the DNS servers involved in the early-March attack wasn't cleaned up properly, and the attacker returned and changed the poisoning tool.

"Right now this is still going on," said Haugsness. "The attackers are changing IP addresses around and poisoning other DNS servers [to stay ahead of security authorities]."

Among the domains included in one of the poisoned DNS servers during the first attack were major sites such as americanexpress.com, cnn.com, redhat.com, and msn.com. "These [665] domains organizations did not have their DNS cache's poisonedthese organizations were not compromised, although it is possible that customers of these sites unknowingly gave out login information or personal information to the malicious servers," wrote Haugsness in a long report posted on the ISC site about the attacks.

Although there's essentially nothing an end-user can do to protect him- or herself -- other than to regularly sweep the system for spyware and/or have real-time anti-spyware defenses up and running -- DNS server administrators, particularly those in enterprises, should scramble.

Windows-based DNS servers are particularly vulnerable, since Windows NT Server 4.0 and Windows 2000 Server prior to SP3 are insecure against DNS cache poisoning attacks. Windows 2000 Server SP3 and later, as well as Windows Server 2003, are configured securely by default. (For more information, see this Microsoft Knowledgebase article.)

Other users that are vulnerable are those running various Symantec gateway security products who haven't patched bugs the Cupertino, Calif.-based vendor released in mid-March.

But the entire Windows server software platform -- including properly configured NT/2000 and 2003 systems -- seems to have an architectural design flaw, said Haugsness, that makes them vulnerable to cache poisoning attacks. He said ISC was working with Microsoft to pin down the exact cause.

"This is a lot easier to do than we thought," said Haugsness, who noted that cache poisoning isn't new. "That's the main reason we went out there with this, and bumped up to Yellow.

"What's scarier is that this could be used in lot more subtle fashion, to make it difficult, or even impossible to detect."

[ncpatriot]

Is the Apple computer susceptible to these problems?

[Eagle9]

Is the Apple computer susceptible to these problems?

I don't know. See post #19.

[backhoe]

The following is a "grab & paste"-- excuse the disjointedness, but I'm in a hurry.

Here's my "best of Links"--

 

Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...

 Avast
Firewall
Kerio(Direct Download) Zone Alarm

 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 

  I use Firefox. Click the link and give it a try.

 

 

Ad-Aware
Spybot S&D

SpywareBlaster
MS MVP Hosts file

Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.

 

The best forum for malware removal:

-SWI Forums-

 

 
http://www.freerepublic.com/focus/f-news/1315720/posts

 Microsoft Releases Anti-Spyware Beta 1 To Public Today.
Microsoft.com ^

 

=================================================

 

 

Browser Wars, take two various FR links | 12-22-04 | The Heavy Equipment Guy http://www.freerepublic.com/focus/f-news/1306815/posts ...and let your compiler of links drop out of Lurk & Link mode for comment and advice: Ditch IE. Honest to God, almost anything else will give you fewer problems. Try and compare- use IE, then run Ad-Aware and Spybot Search & Destroy... then try another browser and repeat. You will be stunned at the garbage IE attracts. Keep your OS updated & patched. Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall. Use a software firewall, too-- if you don't, you'll never know how many times your PC is trying to "phone home" and send your info across the web.

---

The SWI forum listed above is very good at helping disinfect your PC, but be advised you have to register, learn what they need you to do first in the "pinned" posts at the top of the forum... and they are badly overloaded. It helps to use a cute female screen name. They have links to similar forums if you are so inclined to try a different one.

It may be faster to fdisk, reformat, and reinstall, provided you have backups of cookies, data files, etc.

All the stuff I have on this subject is here, go to the last & work back to get the latest:

-Browser Wars, take two--

---

A sample excerpt:

---

Re: Updating my address book - Virus alert
To Brad's Gramma | 03/08/2005 2:19:05 AM EST sent

Nancy, the two best free antiviruses that I have used and suggest others try are AVG and Avast! You can always try having a friend with a CD or DVD burner download & burn a copy if you have technical problems getting online, or are reluctant to DL online yourself. ( also see "PS" at bottom )--

http://www.grisoft.com/us/us_index.php

http://www.avast.com/eng/avast_4_home2.html

One or the other ( it is not recommended running more than one at a time ) is about as good as the store-bought programs like McAfee or Norton. Some claim they are better, and I am inclined to agree. Smaller, less intrusive.

In addtion, it is not a bad idea to check occassionaly with an online scan- sometimes one will catch something the others miss.

The most thorough is Trendmicro ( virus, trojan, spyware and security holes )--

http://housecall-beta.trendmicro.com/en/start_corp.asp

Some other good ones:

http://security.symantec.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=22&pkj=CUXVBXUQIZQVMUYTACD


http://www.rav.ro/scan/indexn.php

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.bitdefender.com/scan/license.php

Also, most antivirus software ( except for trend ) does not detect spyware, so you need something on the HD that does-- Microsoft's Antispyware ( search their homepage ) is very, very good. Ad-Aware SE by Lavasoft is well thought of:

http://www.lavasoftusa.com/software/adaware/

Be sure to use the "full system scan"-- you need to check everything.

Do not use MS Internet Explorer, except for the sites ( like MS! ) that won't accept anything else-- get FireFox, or Opera, or even Netscape. IE is a popup and virus magnet.

You need a hardware firewall, too. How? Set up a home network, either wired or wireless. Even if you have only one PC, put it behind a modern Ethernet router-- all the new ones have a NAT firewall, and it filters out a load of garbage. Every hour, my router's log show dozens of "unrecognized attempts" by random port scans. You won't know how many intrusions are tried until you get a LAN ( local area network ) and see the logs. It's awful out there in 'netland nowadays.

No, I'm not really a Geek- Just an old Keyboard Cowboy ( going back to vacuum tubes ) who learned a lot from others while Ridin' the Trakball into the Dawn of the Information Age.

John R

PS-- regrading this:
"THIS one I'm using..........the D drive doesn't work.
The laptop? Doesn't have a CD writer program on it worth a dip....yes. I already tried. "

One workaround is to get a jump drive ( a RAM stick that plugs into a USB port ) and download software to it-- when you start a DL, you can specify where you want it saved, so just enter D: or whatever your PC "sees" the jump drive as. Jump drives are dirt cheap nowadays- look for a closeout or special.

Good luck-- the people who write ot propagate viruses, spyware, and spam should be triple fined, jailed, and publically horsewhipped-- they are wrecking the 'net for everyone else.

141 posted on 03/09/2005 5:30:29 AM EST by backhoe (-30-)

[Eagle9]

Thanks.

[backhoe]

Hope it made enough sense- wife & dog are driving me nuts this evening, needing stuff... let's see, take the wife out in the yard, wrap a heating pad around Dog's neck... amoxicillin goes to which one? Then there are the ear drops...

[bitt]

best to download all programs you want, then put the pc into safe mode to run them....

on a reboot, hold down F8 till it squeals...then choose safe mode, you'll see a different desktop, don't worry - then run them, re-boot after each program finishes cleaning. go back into safe mode for the next program, etc.

[bitt]

yer the best.

[MarkL]

This thing keeps moving my home page from google to some searchnet crap and it keeps putting crap in my favorites. We have anti-spyware up and running but everytime I start up my computer it gets high-jacked. Any clue as to how to get rid of this?

If you're running WinXP or WinME, first turn off your "System Restore." Then reboot your system into safe mode, and run your anti-spyware software to see if it gets rid of it.

If that doesn't work, let us know, it's going to be more complicated.

Mark

[MarkL]

Booting into Safe Mode only loads necessary processes. You can't remove some spyware while their malicious processes are running. And, you can't kill the processes.

In some cases, even safe mode won't do it... In those cases, you either need to boot the system to a Barts PE CD, or remove the hard drive, and install it as a secondary drive in a known, CLEAN system, and run all the spyware and virus removal tools.

It can get really ugly.

Mark

[japaneseghost]

How do I Boot into Safe Mode w/Internet Explorer? Thanks

[bitt]

XP or 2000 will give you several choices - one will be 'safe mode with network support'

[FReepaholic]

...How do I Boot into Safe Mode w/Internet Explorer...

You boot into Safe Mode with your operating system.

If you're running XP, reboot and while it's booting up, keep hitting the F8 key until you see a black screen with white text.

This screen will present you with a bunch of boot options. Choose "Safe Mode" and hit enter and it will boot. You might not see all your desktop icons and your screen may be in a different resolution but don't worry.

Access your spyware tools via Start>Programs.

After using these, reboot normally.

Good luck.

[ShadowAce]

[zeugma]

Is the Apple computer susceptible to these problems?

The simple answer is "no". Yes, it is possible that someday in the future there will be attacks against Macs, but at the moment, the best thing you could do is get the hell off of microsoft software and either install Linux or MAC OSX. Wither will keep you safer than any version of windows.

[Swordmaker]

Is the Apple computer susceptible to these problems?

4.5 years and counting with no viruses or malware in the wild...

[zeugma]

When will people learn that you don't put critical internet-facing infrastructure on gates-ware?

[arasina]

We have anti-spyware up and running but everytime I start up my computer it gets high-jacked. Any clue as to how to get rid of this?

Hijack This will kill it for you. Here's a link: Major Geeks.com - Highjack This

It's free and it works. Other helpful software links are included at the Major Geeks website.

[KoRn]

"run a local DNS caching server on you home network"

That's a great idea, but can still be hacked around. I'd say such attacks would be more effective if they targeted the end user's machines with the bad DNS mappings.

No matter what is done to protect the DNS servers, if such things are done to C:\WINDOWS\system32\drivers\etc\hosts on clients it would be allot harder to control globally because the end host will look to the bad addresses without even looking at a monitored DNS server. Having said that, I wonder why they aren't dong it!.

[rkhampton]

There is only one solution to this. The punishment for this kind of activity must be elevated to the level of social damage that it causes.

After 20+ years in the industry I pride myself on being fairly aware of such dangers, but just yesterday I put a new hard disk in a system, installed Windows XP and foolishly installed the networking before I installed service pack 2, the firewall and anti-virus software.

While downloading Verizon's Online DSL and MSN Premium, I picked up a virus. My only contact with the internet was to make initial contact with my provider and the system was infected. It took me a while to figure out what had happened and soon I had lost a day's work.

They could put these punks away for 20 to life and I wouldn't think it was overkill.

[SeeRushToldU_So]

ny clue as to how to get rid of this?

Turn off system restore, clean out your temp files, empty your Internet files and cookies, and use FireFox.

It might not de a bad idea to do all this in "Safe Mode".