abusing dns to spread malware:from router to end...
DESCRIPTION
abusing dns to spread malwareTRANSCRIPT
Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareFrom router to end-user
Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab
CNCERT/CC 2011 Annual Conference
What is DNS?What is DNS?And why can it be abused?
What is DNS?
DNS – Domain Name System
DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices addressing these devices worldwide
DNS is a "phone book" for the Internet
Examples:kaspersky.com -> 91.103.64.6google.com -> 209.85.149.104
Why can DNS be abused?
• Technical side
• Open, distributed design
• Lots of nodes• Everybody can start one
• Usage of User Datagram Protocol (UDP)
• Unreliable (no concept of acknowledgment, retransmission or timeout)• Not ordered (if two messages are sent to the same recipient, the order in which they
arrive cannot be predicted)arrive cannot be predicted)
• Human factor
• Not well-qualified network administrators
• Network security holes• Default hardware configurations• etc.
• End-users themselves
• The most easy object to abuse!
How can DNS be abused?How can DNS be abused?Real-world examples
How can DNS be abused?
Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and
malicious programs related to DNS.
Abusing DNSSimple example: changing user’s DNS settings using ‘hosts’ file
That’s how normal ‘hosts’ file looks like
And that’s an infected example
Abusing DNSSimple example: changing user’s DNS settings using relocated ‘hosts’ file
That’s where ‘hosts’ file should be located
But it can be relocated and infected
And original ‘hosts’ file remains unchanged
Abusing DNSSimple example: changing user’s DNS settings using network registry settings
That’s how ‘NameServer’ option should look like
But it can be manually changed..But it can be manually changed..
And immediately updated
Abusing DNSMore advanced example: Rorpian case
• First of all, malware gets on user’s PC via removable media
• Then, the magic begins
• Malware configures user’s system as DHCP server and starts listening to the local network
• If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8)
• When a DHCP request from another computer arrives, malicious DHCP
Malware infection from any visited resource!
• When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one
• If the attempt was successful, another computer’s DNS will be changed to malicious one
• Which leads to..
Abusing DNSMore high-level threat: hacking the routers
• Main security issues
• weak default passwords or no password change enforcement
• insecure default configuration
• firmware vulnerabilities & services implementation errors
• lack of awareness
Abusing DNSHow to hack million of routers?
Overhyped?
PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011
Not at all.
Abusing DNSExample: 2Wire case
Abusing DNSExample: D-Link & Tsunami case
Malware goes even inside the router itself!Malware goes even inside the router itself!
Abusing DNSExamples: it’s only the beginning
Abusing DNSEven more high-level threat: hacking the DNS server s
PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
Abusing DNSLast example: mysterious google-analytics.com case
• Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google-analytics.com/ga.js
• ga.js downloaded from google-analytics.com was clean
• But when we got some file from users.. It was infected!
It seems like something is wrong with the local DNS
• First version redirects user to domain name quehduid.com, which wasn’t even registered!
• But still, we received notifications about exploits downloaded using this domain
• Analyzed tons of malware which could be connected to this case
• Found nothing common to DNS poisoning/hijacking
• But found some interesting geographic pattern between versions
It seems like something is wrong with the local DNS in these countries, isn’t it?
ConclusionsConclusions
ConclusionsSumming it up
• DNS can be is hijacked/poisoned on every layer of network organization structure
• Users
• Routers
• DNS servers
• DNS was not originally designed with security in mind
• Thus has number of security issues• Thus has number of security issues
• There are some technical things that can make it more secure
• Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses
• OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home'
• Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries
ConclusionsSumming it up
• From user side, more things can be done
• Again and again, strong passwords
• Hardening default hardware settings
• Systematic updates of both firmware and software
• Remote control through VPN
• From hardware vendors side
• Unique default passwords for devices
• Secure default settings (disable or limit remote access!)
• Emphasis on firmware security
• From security vendors side
• Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.)
• Inform user on possible security holes
Thank YouThank You
Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky LabCNCERT/CC 2011 Annual Conference