Domain Name System Exploit

Niels Provos, a member of Google's Anti-Malware Team charged with combating malicious computer code on the Web, and Georgia Tech researchers Chris Lee, David Dagon and Wenke Lee jointly authored a study entitled "Corrupted DNS Resolution Paths," which was formally presented Monday at the Internet Society's Network and Distributed System Security Symposium (NDSS) being held in San Diego. The study, which was informally released in December 2007, reveals methods that have increasingly exploited loopholes in certain DNS servers, which play a vital behind-the-scenes roll in the Web by converting alphanumeric domain names into Internet Protocol (IP) addresses used to route all Internet traffic.

The loopholes in the DNS system could just as easily be used to bilk large corporations or individual computer users out of large sums of money using so-called phishing schemes that incorporate the techniques described in the study, which are presently not detectable by traditional anti-virus or other security software. Paul Mockapetris, the architect behind the DNS system and chief scientist and chairman at network naming firm Nominum, sees it as only a matter of time before such large losses occur due to the DNS exploit presented in the study. “This report demonstrates that people are getting lured out to dark alleyways of the Internet. The actual damage isn’t documented here, but it will be,” Mockapetris said in a recent Dark Reading article.

Most computers connecting to the Internet use several DNS servers, typically those operated by their Internet provider, to correctly route all Web browsing sessions. The study shows how certain poorly administered DNS servers have been compromised and used to route Web browsers to sites containing malicious code which could then, by taking advantage of browser or browser add-on software exploits, infect a person's computer and change it to use a malicious DNS server. Compromised DNS servers typically allow people to browse correctly to enough Web sites so things appear normal, however at some point when trying to access a site the rogue DNS server will send the user to another malicious site instead.

68,000 Affected Open-Recursive DNS Servers Noted

The study focused on one particular type of DNS server, known as open-recursive DNS servers, which allow queries from any other computer, although the exploit could also affect the more common closed DNS servers. Among the 17 million open-recursive DNS servers that are part of the structure of the Internet, the study found some 68,000, or 0.4 percent, had been compromised to some extent and sent Web queries to the wrong destination. The study determined that an additional two percent of open-recursive DNS servers provide "questionable" results.

While attackers exploiting DNS servers are not a new phenomenon - various types of DNS attacks have been around for years - the attacks noted in the study are the first to widely use web-based Malware to make DNS changes. More people than ever use laptops connected to the Internet via public WiFi networks served by whichever DNS servers its administrators have set up, leaving the door open for potential exposure to what the study calls DNS resolution path corruption.

Syndicated Online Advertising Network Exploit

Provos and Google colleague Panayiotis Mavrommatis were joined by Johns Hopkins University computer scientists Fabian Monrose and Moheeb Abu Rajab in jointly authoring a separate report that shows an increase in computer infections caused by common Web browsing and searching tasks. The study, which was published Tuesday at the NDSS, stems from an 18-month period during which the researchers tracked billions of Web sites to find malicious ones. It found over 3 million malicious Web pages on over 180,000 Web sites that attempted to execute Malware on browsers' computers. The study found that syndicated online advertising networks, such as those operated by Google and some 2,000 other firms, in some cases contributed to the distribution of Malware.

Two percent of the dangerous Web sites the study encountered were attempting to install Malware using methods involving syndicated online advertising networks, which can display ads from a chain of partners. "Clearly, it is increasingly difficult to maintain trust along such long delivery chains," according to the study published Tuesday. The study places considerable blame on lax system administrators who do not update the software running on their servers, and found that more than twice as many Microsoft IIS Web servers were attempting to install Malware than UNIX or Linux-based Apache Web servers - numbering 113,905 IIS occurrences versus 55,088 for Apache.

Drive-By Downloading

Provos wrote on the official Google security blog Monday describing the process, which he calls "drive-by downloading," which can infect vulnerable computers through visiting malicious Web sites. "Drive-by downloads are caused by URLs that attempt to exploit their visitors and cause Malware to be installed and run automatically," according to the study. While the full research paper has yet to be released, Provos and his co-authors decided to make portions of it available this week in order to make people aware of the increasing dangers on the Web. "In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing," Provos wrote on the Google blog.

Google Research Finds Security Risks in Web Ads and DNS

The study found that some 1.3 percent of search queries returned by Google "returned at least one URL
labeled as malicious in the results page," and that the techniques used have switched from largely push-based methods to pull-based models that attempt to entice users into visiting malicious sites. Would be attackers can "use various social engineering techniques to entice the visitors of a website to download and run Malware," the study notes. A second method of attack, involving browser software vulnerabilities is also explored in the study. "The underhanded tactic of targeting various browser vulnerabilities to automatically download and run — i.e., unknowingly to the visitor — the binary upon visiting a website," and it is this type of attack the study focused on. "Ad serving networks are increasingly being used as hops in the Malware serving chain," the study notes.

The greatest number of malicious Web sites were found to be hosted in China, which accounted for 67 percent of the dangerous sites in the study, followed by the United States with 15 percent and Russia with 4 percent.

Related Links:

• InformationWeek / Yahoo article
• Google Online Security blog entry
• TechWorld article
• DarkReading / CMP Media article
• InformationWeek additional article
• WebmasterWorld thread about DNS exploits
• Google "All Your iFRAMEs Point to Us" report (.PDF file)
• WebmasterWorld's Google Search News discussion forum