RE: [ga] Rogue (Fraudulent) DNS Servers?

["Debbie Garside" <debbie@xxxxxxxxxxxxxxxxxx>]

Hi Matthew
 
Maybe the answer is to use something like a sand box
(http://www.sandboxie.com/) to surf the web :-)  That way no changes to the
registry can be made.
 
Best regards
 
Debbie Garside
 


  _____  

From: owner-ga@xxxxxxxxxxxxxx [mailto:owner-ga@xxxxxxxxxxxxxx] On Behalf Of
Matthew Pemble
Sent: 12 December 2007 09:12
To: ga@xxxxxxxxxxxxxx
Subject: [ga] Rogue (Fraudulent) DNS Servers?


Folks,

I assume we will actually have to wait for the survey - it bears the
question that has been posed here before - what is the correct response to a
DNS query and that is clearly context dependent (using the ICANN root, using
a default root, on the internet or an internal network, etc.) 

http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2
.0_1.html

By Robert McMillan
IDG News Service
December 11, 2007

Researchers at Google and the Georgia Institute of Technology are
studying a virtually undetectable form of attack that quietly controls
where victims go on the Internet. 

The study, set to be published in February, takes a close look at "open
recursive" DNS servers, which are used to tell computers how to find
each other on the Internet by translating domain names such as 
google.com into numerical IP addresses. Criminals are using these
servers in combination with new attack techniques to develop a new
generation of phishing attacks.

The researchers estimate that there are 17 million open-recursive DNS 
servers on the Internet, the vast majority of which give accurate
information. Unlike other DNS servers, open-recursive systems will
answer all DNS lookup requests from any computer on the Internet, a
feature that makes them particularly useful for hackers. 

Georgia Tech's and Google's researchers estimate that as many as 0.4
percent, or 68,000, open-recursive DNS servers are behaving maliciously,
returning false answers to DNS queries. They also estimate that another 
2 percent of them provide questionable results. Collectively, these
servers are beginning to form a "second secret authority" for DNS that
is undermining the trustworthiness of the Internet, the researchers 
warned.

"This is a crime with few witnesses," said David Dagon, a researcher at
Georgia Tech who co-authored the paper. "These hosts are like carnival
barkers. No matter what you ask them, they'll happily direct you to the 
red light store, or to a Web server that does nothing more than spray
your eyeballs with ads."

Attacks on the DNS system are not new, and online criminals have been
changing DNS settings in victim's computers for at least four years now, 
Dagon said. But only recently have the bad guys lined up the technology
and expertise to reliably launch this particular type of attack in a
more widespread way. While the first such attacks used computer viruses 
to make these changes, lately attackers have been relying on Web-based
malware.

Here's how an attack would work. A victim would visit a Web site or open
a malicious attachment that would exploit a bug in his computer's 
software. Attackers would then change just one file in the Windows
registry settings, telling the PC to go to the criminal's server for all
DNS information. If the initial exploit code was not stopped by
anti-virus software, the attack would give attackers virtually
undetectable control over the computer.

Once they'd changed the Windows settings, the criminals could take
victims to the correct Web sites most of the time, but then suddenly 
redirect them to phishing sites whenever they wanted -- during an online
banking session, for example. Because the attack is happening at the DNS
level, anti-phishing software would not flag the phoney sites.

Or an attacker could simply take complete control over the victim's
Internet experience, Dagon said. "If you look up the address of a
Christian Science Reading Room site, they'll point you to skin exotica," 
he said. "If you ask where Google.com is located, they'll point you to a
machine in China selling luggage."

"It's really the ultimate back door," said Chris Rouland, chief 
technology officer with IBM's Internet Security Systems division. "All
the stuff we've deployed in the enterprise, it's not going to look for
this."

Rouland expects to see more of these DNS attacks launched from Web 2.0
sites in the coming months, because they make it very easy for people to
"mash up" Web pages from many different sources -- some of which may be
untrustworthy. "This is truly the next generation of phishing," he said. 

Preliminary findings by Dagon's team shows that the Web is an important
vector for these attacks. Using Google's network of Web crawlers,
researchers uncovered more than 2,100 Web pages that used exploit code 
to change the Windows registry of visitors.

The team's paper, entitled Corrupted DNS Resolution Paths, is set to be
published at the Network and Distributed System Security Symposium
(NDSS) in San Diego. It is co-authored by Chris Lee and Wenke Lee, of 
Georgia Tech and Niels Provos, a senior engineer with Google.

Last year Dagon and Wenke Lee, founded a startup called Damballa, which
is developing ways to protect against these types of attacks.

Damballa, which bills itself as an anti-botnet appliance vendor, can 
identify compromised machines by tracking whether or not they are
communicating with DNS servers that are known to be malicious.

--

Matthew Pemble
Technical Director, Idrach Ltd