Australia's Leading Computer Emergency Response Team

DNS Spoofing means war! or not!
Date: 11 July 2008
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9570


G'day all,

What a week we have had with the DNS stuff. It is unbelievable how many vendors this affects. Not suprising I guess when it affects a core component of networking.

SANS, like so many others, have blogged about it. I'm going to use SANS as a reference merely for the fact it seems to have the most rounded information.

Quoting SANS blog here:

  • This only affects caching/resolving name servers. Authoritative name servers are not affected as they only send responses and will never receive responses (only queries).
  • The patch will impact your servers performance. Test carefully before patching a very busy server. isc.org mentions 10,000 querries/sec as a problem.
  • For BIND users, there is a non-IETF approved workaround to implement DNSSEC without full PKI. See "DNSSEC Look-aside Validation" for details.
  • The overall issue has been known for a long time, and is a fundamental problem with the way DNS currently works. However, full details about what makes this so special will be revealed at Blackhat. There may be more to it. For example think about better tools to exploit it and exploits see in the wild.
  • Please test carefully. At least Zonealarm seems to have problems with the respective Microsoft patch. Other firewalls may be "surprised" too by your DNS server all for sudden changing ports a lot.
  • Don't forget embedded devices. In particular BIND is frequently used as a DNS server on firewalls and routers. If you don't need it: disable it.
  • Stay in touch with your vendors. Please let them know if you experience any issues.

Full article can be found here: http://isc.sans.org/diary.html?storyid=4687. My only comment is about the first point, it also affects clients, or any device and system that uses DNS as a way to resolve Domain Names to IP Addresses.

SANS also mention that this was reported three years ago, here is the whitepaper: http://www.sans.org/reading_room/whitepapers/dns/1567.php

Also we have seen a few more Storm variants this week. They have topical subject lines such as: 

          The begining of The World War III
          Third World War has begun
          Occupation of Iran
          USA attacked Iran
          Iran USA conflict developed into war
          The secret war against Iran

Particularly topical after these news headlines from www.news.com.au:

I can't wait to see the storm subjects for that one!

Storm isn't the only one giving us topical subject lines 

          McCain withdraws from presidential race
          Hugh Hefner releases summer orgy pics
          Hilary Clinton castigated in broad daylight
          Girl found with arms cut off, police investigate
          Cat gouges man's eyes
          Bulgarian diplomat arrested with 0.4kg of plutonium
          4 missing girls found in basement of Iowa house
          Latest gossips on celebrities
          Heath Ledger never saw the Dark Knight
          Angelina jolie shock pregnancy discovery
          Angelina Jolie dies in plane crash
          Search for singing talents
          Clinton withdraws support for Obama
          China fires missle in Taiwan's direction

Please note, that this is a clean sample of the subject lines, I removed the ones that make me blush.

All of these have a random message and a URL ending with either /r.html or /video.exe or /video1.exe. If the server has one of the files it usually has all of the files. They are reasonably well detected most of the time. Often detected as Exchanger or Nuwar depending of the Vendor. Nuwar is also known as Storm. But I'm not sure if this is the same guys doing this. It does have a Storm kind of feel to it in the email structure.

cheers,
Zane