Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:15 AM
Connect Directly

Experts: DNS Attacks Could Go Deeper

DNS botnet exploits are bad, but potential for an attacker to 'own' your DNS server is much worse

Botnet operators are already exploiting the Microsoft DNS server bug now as predicted, but that should be the least of your worries. The real danger lies in an attacker using the flaw to take over an enterprise's internal DNS server. (See Zero-Day Fever.)

Security experts say an attacker could use the vulnerability in Microsoft's Domain Name Server (DNS) Service to do more serious damage -- such as wresting control of the server, modifying its DNS records, and using it as a way to launch other attacks or to sabotage a particular company or organization.

"This could be a stepping stone into an enterprise," says Jose Nazario, senior software and security engineer for Arbor Networks, who has been studying the new exploits. "Also, if an attacker controls DNS, they can really alter an organization's situation. Imagine if an attacker redirected www.google.com to their own IP addresses with exploit code on it (i.e. the recent .ANI exploit). DNS is a great way to silently drive hosts to a malicious site."

The bug itself isn't in the DNS protocol, but in the way the Microsoft server software handles the remote procedure calls (RPCs) among the servers, so its scope is basically those organizations that run the server platform (not the massive banks of mostly Unix-based servers that make up the Internet's DNS infrastructure). Microsoft has hinted it may patch the DNS Service bug before its next Patch Tuesday, May 8.

So far, the botnet infections (many using worms and some non-Microsoft vulnerabilities, including a recycled old Symantec antivirus bug) seem to be limited, according to researchers. Although Nazario says the so-called Nirbot botnet could have a few thousand zombies. Sophos, meanwhile, so far has not received many calls from customers getting infected, says Ron O'Brien, senior security analyst for the anti-malware company. "That indicates that it's much more of a proof-of-concept exploit, versus something that's being widely deployed."

Still, the bots aren't the real problem here. "The only people that need to act quickly are enterprise customers with large internal networks," says HD Moore, creator of the popular open-source Metasploit hacking tool.

"For worm propagation, it's a bad target -- the port is dynamic, the number of targets few, and the percent of vulnerable systems actually allowing access to this port from the Internet even fewer," Moore says. But for an attacker hell-bent on sabotaging an organization or highjacking its internal DNS entries, "this bug is great," says Moore, who is also director of security research for BreakingPoint Systems. Once the attacker has penetrated the DNS server via the flawed RPC interface, he or she then adds a backdoor account, restarts the server, and it's owned, he adds.

The simplest scenario would be a denial-of-service attack on an organization's DNS server as part of the targeted attack. "That would cause a DNS outage for anyone who used that server," says David Ulevitch, CEO of OpenDNS, and founder of EveryDNS, both DNS services. "A less likely scenario is one where they are able to poison the DNS server to hand back malicious responses for specific records -- like a bank or Paypal."

Paul Mockapetris, co-creator of the DNS protocol and chairman and chief scientist of Nominum, estimates that there are thousands of organizations out there that haven't configured their Microsoft DNS service properly and are therefore vulnerable to attack. Contrary to popular belief that Microsoft DNS systems are not commonplace enough to cause major concern over these recent attacks, Nominum -- which specializes in DNS clusters for large service providers -- has seen an increase in enterprises using Microsoft's DNS and DHCP servers coming for help with security, he says.

And although the latest botnet-related exploits don't mean much to the Internet's DNS infrastructure, their potential to redirect traffic rings reminiscent of previous cache-poisoning attacks on the Net's DNS servers, experts say. "This has made people more aware of the damage if DNS is subverted," Mockapetris says. "And it may have motivated the dark side to think about how to do that" on the Internet.

So until a patch arrives from Microsoft, the best defense is to disable the RPC function. As for the Nirbot (a.k.a. Rinbot) infection specifically, be on the lookout for outbound connections to x.rofflewaffles.us, as well as port 8080 connections, security experts say. "Scans coming from their DNS server to TCP ports 1025 and 2967 are also tell-tale signs of this bot being present on their DNS server," Arbor's Nazario notes.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sophos plc
  • OpenDNS
  • Nominum Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.