Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:15 AM
Connect Directly

Experts: DNS Attacks Could Go Deeper

DNS botnet exploits are bad, but potential for an attacker to 'own' your DNS server is much worse

Botnet operators are already exploiting the Microsoft DNS server bug now as predicted, but that should be the least of your worries. The real danger lies in an attacker using the flaw to take over an enterprise's internal DNS server. (See Zero-Day Fever.)

Security experts say an attacker could use the vulnerability in Microsoft's Domain Name Server (DNS) Service to do more serious damage -- such as wresting control of the server, modifying its DNS records, and using it as a way to launch other attacks or to sabotage a particular company or organization.

"This could be a stepping stone into an enterprise," says Jose Nazario, senior software and security engineer for Arbor Networks, who has been studying the new exploits. "Also, if an attacker controls DNS, they can really alter an organization's situation. Imagine if an attacker redirected www.google.com to their own IP addresses with exploit code on it (i.e. the recent .ANI exploit). DNS is a great way to silently drive hosts to a malicious site."

The bug itself isn't in the DNS protocol, but in the way the Microsoft server software handles the remote procedure calls (RPCs) among the servers, so its scope is basically those organizations that run the server platform (not the massive banks of mostly Unix-based servers that make up the Internet's DNS infrastructure). Microsoft has hinted it may patch the DNS Service bug before its next Patch Tuesday, May 8.

So far, the botnet infections (many using worms and some non-Microsoft vulnerabilities, including a recycled old Symantec antivirus bug) seem to be limited, according to researchers. Although Nazario says the so-called Nirbot botnet could have a few thousand zombies. Sophos, meanwhile, so far has not received many calls from customers getting infected, says Ron O'Brien, senior security analyst for the anti-malware company. "That indicates that it's much more of a proof-of-concept exploit, versus something that's being widely deployed."

Still, the bots aren't the real problem here. "The only people that need to act quickly are enterprise customers with large internal networks," says HD Moore, creator of the popular open-source Metasploit hacking tool.

"For worm propagation, it's a bad target -- the port is dynamic, the number of targets few, and the percent of vulnerable systems actually allowing access to this port from the Internet even fewer," Moore says. But for an attacker hell-bent on sabotaging an organization or highjacking its internal DNS entries, "this bug is great," says Moore, who is also director of security research for BreakingPoint Systems. Once the attacker has penetrated the DNS server via the flawed RPC interface, he or she then adds a backdoor account, restarts the server, and it's owned, he adds.

The simplest scenario would be a denial-of-service attack on an organization's DNS server as part of the targeted attack. "That would cause a DNS outage for anyone who used that server," says David Ulevitch, CEO of OpenDNS, and founder of EveryDNS, both DNS services. "A less likely scenario is one where they are able to poison the DNS server to hand back malicious responses for specific records -- like a bank or Paypal."

Paul Mockapetris, co-creator of the DNS protocol and chairman and chief scientist of Nominum, estimates that there are thousands of organizations out there that haven't configured their Microsoft DNS service properly and are therefore vulnerable to attack. Contrary to popular belief that Microsoft DNS systems are not commonplace enough to cause major concern over these recent attacks, Nominum -- which specializes in DNS clusters for large service providers -- has seen an increase in enterprises using Microsoft's DNS and DHCP servers coming for help with security, he says.

And although the latest botnet-related exploits don't mean much to the Internet's DNS infrastructure, their potential to redirect traffic rings reminiscent of previous cache-poisoning attacks on the Net's DNS servers, experts say. "This has made people more aware of the damage if DNS is subverted," Mockapetris says. "And it may have motivated the dark side to think about how to do that" on the Internet.

So until a patch arrives from Microsoft, the best defense is to disable the RPC function. As for the Nirbot (a.k.a. Rinbot) infection specifically, be on the lookout for outbound connections to x.rofflewaffles.us, as well as port 8080 connections, security experts say. "Scans coming from their DNS server to TCP ports 1025 and 2967 are also tell-tale signs of this bot being present on their DNS server," Arbor's Nazario notes.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sophos plc
  • OpenDNS
  • Nominum Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-10
    IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
    PUBLISHED: 2019-12-10
    IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
    PUBLISHED: 2019-12-10
    Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
    PUBLISHED: 2019-12-10
    IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
    PUBLISHED: 2019-12-10
    The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.