Internet Storm Center reaches Yellow Alert

Help and Discussion

Moderator: The Mod Squad

Internet Storm Center reaches Yellow Alert

Postby Oylpann » Tue Apr 05, 2005 12:02 pm

http://isc.sans.org/

I havent seen the status change on there since MyDoom.

Summary

Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began receiving reports from multiple sites about DNS cache poisoning attacks that were redirecting users to websites hosting malware. As the "Handler on Duty" for March 4, I began investigating the incident over the course of the following hours and days. This report is intended to provide useful details about this incident to the community.

The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least 5 UNIX webservers. We received information the attack may have started as early as Feb. 22, 2005 but probably only affected a small number of people.

On March 24, we received reports of a different DNS cache poisoning attack. This attack did not appear to affect as many people. This will be referred to as the "second attack" in the remainder of this report.

After monitoring the situation for several weeks now, it has become apparent that the attacker(s) are changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This attack morphed into a similar attack with different IP addresses that users were re-directed toward. This will be referred to as the third attack and is still ongoing as of April 1, 2005.

Before proceeding, a note of thanks is in order for all the people that have submitted reports to us, helped us investigate further, and provided us logs or data. The Internet Storm Center is a volunteer effort and the better information that we receive from the community, the better analysis we can perform and contribute back to the community.

Contents:

1. How can others help?
2. How do I recover from a DNS cache poisoning attack?
3. What software is vulnerable?
4. I am a dial-up/DSL/cable modem user -- am I vulnerable?
5. Where can I test my site to see if I am vulnerable?
6. What exactly is DNS cache poisoning?
7. What was the motivation for this type of attack?
8. Weren't DNS cache poisoning attacks squashed around 8 years ago?
9. What was the trigger for the attack?
10. How exactly did this DNS cache poisoning attack work?
11. What domain names were being hijacked?
12. What were the victim sites?
13. What malware was placed on my machine if I visited the evil servers?
14. Got packets?
15. Got snort?

Read the rest of the report at http://isc.sans.org/presentations/dnspoisoning.php


Increase in Port Activity.
Arno wrote us today to draw our attention to two ports that have shown a big increase in activity in the past few days. Check out ports 8082 (BlackIce Capture) and 20031 (BakBone NetVault). Notice that the 8082 traffic is largely UDP, comes from several thousand sources, but is aimed at less than 200 targets. There is a known issue with NetVault, which accounts for all of the 20031 scanning, but what is going on with BlackIce?


http://isc.sans.org/port_details.php?port=8082
http://isc.sans.org/port_details.php?port=20031


SANS Conference
It has come to our attention at the Hotel where the SANS conference is being held, that possibly the DNS servers there are poisoned. Our only recommendation we can offer until we can fix/correct this, is to use a public dns server, that is not vulnerable.

4.2.2.1
4.2.2.2
4.2.2.3
These public dns servers should work.


Marcus H. Sachs
Handler on Duty
Director, SANS Internet Storm Center


I dont really understand it myself, but I'm sure there are others here that do. :?
"You cant hug your family with Nuclear Arms"

Asus F2A85-V Pro
AMD A10-5800K APU @ 4.5GHz
8GB G. Skill 1866
550w PSU
Hyper 212 Evo
Oylpann
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3844
Joined: Wed Nov 10, 2004 7:42 pm
Location: Oklahoma City, OK

Postby Oylpann » Tue Apr 05, 2005 12:38 pm

Heres some more details:

########################################################################
## What exactly is DNS cache poisoning?
########################################################################

Basically, it is method for an attacker to change the IP address that a
hostname resolves to. For instance the hostname www.cisco.com points to
the IP address 198.133.219.25. A DNS cache poisoning attack allows an
attacker to change the IP address for a host/domain and point it to a
different IP address.

If the above paragraph didn't make any sense, then take a step back and
understand that DNS (Domain Name System) is the method by which you can
resolve a human name like www.google.com into an IP address. An IP
address is a computer's unique location on the Internet. For a very
good explanation of how the global DNS system works, refer to this
article:

http://computer.howstuffworks.com/dns.htm/printable

Second, you must understand that most end-users on the Internet use a
DNS server that is close to them (at their ISP or within their
organization's firewalls) to lookup names for them. For performance
reasons, these DNS servers cache the returned data so that it takes less
time to respond to the next client. If there is a vulnerability or
misconfiguration in the software on these DNS servers, then the cache
poisoning attack is possible. When a victim DNS cache is poisoned, the
attacker will be affecting ALL future lookups of any domain name he
chooses for ALL users of that DNS server. Large ISPs may have thousands
of users referencing a single DNS resolver. So an attack against a
resolver could affect thousands of users, without those users having
done anything wrong.

Here is how the attack works. First, there needs to be a trigger that
forces the victim site's DNS server to query the evil DNS server. There
are several ways to accomplish this. A couple of easy methods are
e-mail to a non-existant user (which will generate an NDR to the source
domain), spam e-mail with an external image, banner ads served from
another site, or perhaps triggering it from a bot network or installed
base of spyware.

Once the trigger executes, the victim's site DNS server queries the evil
DNS server. The attacker includes extra information in the DNS reply
packet. In both attacks, the reply packets contained root entries for
the entire .COM domain. If your DNS server is not configured properly,
then it will accept the new entries for .COM and delete the proper
entries for the Verisign servers (who runs the .COM domain). Once this
has occurred, any future queries that your DNS server makes for .COM
addresses will go to the malicious DNS server. The server can give you
any address it wants. In this attack, any hostname that you request is
returned with a couple of IP addresses that are running a webserver and
attempting to exploit client-side bugs in Internet Explorer to install
spyware.

It is important to note that this attack could be used to hijack other
domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA
or .DE. The attacker could hijack all of them. A smart attacker would
potentially just hijack specific hostnames and then return the correct
information for all other queries. This type of attack would not be as
noticeable and could potentially be very dangerous.


########################################################################
## What was the motivation for this type of attack?
########################################################################

The motivation for these attacks is very simple: money. The end goal of
the first attack was to install spyware/adware on as many Windows
machines as possible. A good spyware/adware program can generate
significant revenue for the attacker.

There is an excellent write-up by the folks at LURHQ that describes the
pay-per-click (PPC) advertising scheme that is likely behind the
first/third attacks: http://www.lurhq.com/ppc-hijack.html.

The second attack seems to have been launched by a known spammer. But
this is quite a complicated attack for a spammer, so my current theory
is that the attacker(s) are contracting their services for hire.

The motivation for our detailed analyis was because of the DNS cache
poisoning attack, which has the potential for affecting millions of
Internet users and enabling some very dangerous attacks. After
receiving a couple of reliable reports, it became clear to us that we
needed to get to the very bottom of this attack.


########################################################################
## Weren't DNS cache poisoning attacks squashed around 8 years ago?
########################################################################

Taking a trip down memory lane... Cache poisoning has been around for a
very long time. There have been unfortunate bugs in BIND and there have
been design flaws. The DJB fans will note that djbdns has been secure
against cache poisoning for a long time, too.

Basically, the UNIX-based stuff has been secure against cache poisoning
for quite some time, but there may always be a bug or design flaw that
is discovered. We are not quite sure why Microsoft left a default
configuration to be unsecure in NT4 and 2000. (Exercise to reader:
insert Microsoft security comment/opinion/joke here, but keep it to
yourself).


########################################################################
## What was the trigger for the attack?
########################################################################

We haven't been able to isolate the exact trigger for either attack.
There are several methods to trigger a DNS lookup to a malicious DNS
server. There are so many methods to do so, that it doesn't really
matter. It can be accomplished easily, so instead of focusing on the
trigger, security/system administrators should focus on securing their
DNS software.


########################################################################
## How exactly did this DNS cache poisoning attack work?
########################################################################

During the first attack (around Feb 22 to Mar 12, 2005), victims were
being re-directed to one of 3 servers: 217.160.169.87, 207.44.240.79,
216.127.88.131. The domain names for these servers were: www.7sir7.com,
123xxl.com, and abx4.com. These domain names were purchased just prior
to the attack being launched. All of the IP addresses above were UNIX
machines at colocation/web-hosting companies that were compromised.
Most people observed the re-direction because their web-surfing was
obviously affected. But we also received reports of e-mails getting
bounced and subsequent investigation of log files from those machines
indicated that FTP logins, IMAP/POP logins, and SSH traffic was being
re-directed also. The attacker had uploaded to the compromised UNIX
machines two client-side exploits for Internet Explorer. So when users
were re-directed to those servers, the exploit would be launched and if
successful, the victim would be infected with a spyware program.

During the second attack (March 25), there were two malicious DNS
servers that were re-directing people. The malicious DNS servers were
222.47.183.18 and 222.47.122.203. These DNS servers were re-directing
people to themselves, where a website selling popular prescription
medication was found. These webservers did not host any malicious
content. Instead, this was more the work of a spammer. Future
investigation into the IP addresses and domain names registered to those
IP addresses indicate that these servers are probably owned by a spammer
with over 300 domain names registered. It should be noted that the
website advertised indicated "megapowerpills.com", however there is a
real website with that name that is operated on a different IP address.

The third attack is really a continuation of the first attack (March 25
- April 1, 2005), with the same goal of installing a spyware program.
One of the machines from the first attack (216.127.88.131) was never
cleaned-up properly and the attacker came back and changed the poisoning
tool. This time, the DNS server gave out the following IP addresses:
209.123.63.168, 64.21.61.5, 205.162.201.11. All of these servers hosted
the same simple webpage, which redirected people to the following URLs
(which we have neutered):

vparivalka .org /G7 /anticheatsys.php?id=36381
find-it .web-search .la

"You cant hug your family with Nuclear Arms"

Asus F2A85-V Pro
AMD A10-5800K APU @ 4.5GHz
8GB G. Skill 1866
550w PSU
Hyper 212 Evo
Oylpann
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3844
Joined: Wed Nov 10, 2004 7:42 pm
Location: Oklahoma City, OK


Return to Virus/Spyware/Security

Who is online

Users browsing this forum: DotBot [Bot] and 2 guests