Date: 11 July 2008
Click here for printable version
G'day all,
What a week we have had with the DNS stuff. It is unbelievable how many vendors this affects. Not suprising I guess when it affects a core component of networking.
SANS, like so many others, have blogged about it. I'm going to use SANS as a reference merely for the fact it seems to have the most rounded information.
Quoting SANS blog here:
- This only affects caching/resolving name servers. Authoritative name servers are not affected as they only send responses and will never receive responses (only queries).
- The patch will impact your servers performance. Test carefully before patching a very busy server. isc.org mentions 10,000 querries/sec as a problem.
- For BIND users, there is a non-IETF approved workaround to implement DNSSEC without full PKI. See "DNSSEC Look-aside Validation" for details.
- The overall issue has been known for a long time, and is a fundamental problem with the way DNS currently works. However, full details about what makes this so special will be revealed at Blackhat. There may be more to it.
For example think about better tools to exploit it and exploits see in the wild.
- Please test carefully. At least Zonealarm seems to have problems with the respective Microsoft patch. Other firewalls may be "surprised" too by your DNS server all for sudden changing ports a lot.
- Don't forget embedded devices. In particular BIND is frequently used as a DNS server on firewalls and routers. If you don't need it: disable it.
- Stay in touch with your vendors. Please let them know if you experience any issues.
Full article can be found here: http://isc.sans.org/diary.html?storyid=4687.
My only comment is about the first point, it also affects clients, or any device and system that uses DNS as a way to resolve Domain Names to IP Addresses.
SANS also mention that this was reported three years ago, here is the
whitepaper: http://www.sans.org/reading_room/whitepapers/dns/1567.php
Also we have seen a few more Storm variants this week. They have topical subject lines such as:
The begining of The World War III
Third World War has begun
Occupation of Iran
USA attacked Iran
Iran USA conflict developed into war
The secret war against Iran
Particularly topical after these news headlines from www.news.com.au:
- New Iran missile 'puts Israel in range' (July 9, 2008 -
http://www.news.com.au/story/0,23599,23993406-38201,00.html)
- Iran ups ante with more missile shots (July 10, 2008 -
http://www.news.com.au/story/0,23599,23999757-38201,00.html)
- Iran fires more missiles (July 11, 2008 -
http://www.news.com.au/story/0,23599,24002718-38201,00.html)
- Iran has finger on Photoshop trigger (July 11, 2008 -
http://www.news.com.au/story/0,23599,24002810-38201,00.html)
I can't wait to see the storm subjects for that one!
Storm isn't the only one giving us topical subject lines
McCain withdraws from presidential race
Hugh Hefner releases summer orgy pics
Hilary Clinton castigated in broad daylight
Girl found with arms cut off, police investigate
Cat gouges man's eyes
Bulgarian diplomat arrested with 0.4kg of plutonium
4 missing girls found in basement of Iowa house
Latest gossips on celebrities
Heath Ledger never saw the Dark Knight
Angelina jolie shock pregnancy discovery
Angelina Jolie dies in plane crash
Search for singing talents
Clinton withdraws support for Obama
China fires missle in Taiwan's direction
Please note, that this is a clean sample of the subject lines, I removed the ones that make me blush.
All of these have a random message and a URL ending with either /r.html or /video.exe or /video1.exe. If the server has one of the files it usually has all of the files. They are reasonably well detected most of the time. Often detected as Exchanger or Nuwar depending of the Vendor. Nuwar is also known as Storm. But I'm not sure if this is the same guys doing this. It does have a Storm kind of feel to it in the email structure.
cheers,
Zane
|