Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released
Today, CERT is issuing an advisory for a massive multivendor patch to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients). Dan Kaminsky discovered the flaw early this year and has been working with a large group of vendors on a coordinated patch.
The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn’t directly possible.
Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.
Dan, and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue.
Update: Dan just released a “DNS Checker” on his site Doxpara.com to see if you are vulnerable to the issue.
Network Security Podcast, Episode 111, July 8, 2008
And here’s the text of the Executive Overview:
Fixes Released for Massive Internet Security Issue
On July 8th, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it’s important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations.
Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web — all search engines, social networks, banks, and other sites — with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data.
Mr. Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix. Engineers from major technology vendors around the world converged on the Microsoft campus in March to coordinate their response. All of the vendors began repairing their products and agreed that a synchronized release, on a single day, would minimize the risk that malicious individuals could figure out the vulnerability before all vendors were able to offer secure versions of their products. The vulnerability is a complex issue, and there is no evidence to suggest that anyone with malicious intent knows how it works.
The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses. Unfortunately, due to the scope of this update it’s highly likely that the vulnerability will become public within weeks of the coordinated release. As such, all individuals and organizations should apply the patches offered by their vendors as rapidly as possible.
Since not every system can be patched automatically, and to provide security vendors and other organizations with the knowledge they need to detect and prevent attacks on systems that haven’t been updated, Mr. Kaminsky will publish the details of the vulnerability at a security conference on August 6th. It is expected by this point the details of the vulnerability will be independently discovered, potentially by malicious individuals, and it’s important to make the specific details public for our collective defense. We hope that by delaying full disclosure, organizations will have time to protect their most important systems, including testing and change management for the updates. Mr. Kaminsky has also developed a tool to help people determine if they are at risk from “upstream” name servers, such as their Internet Service Provider, and will be making this publicly available.
Home users with their systems set to automatically update will be protected without any additional action. Vendor patches for software implementing DNS are being issued from major software manufacturers, but some extremely out of date systems may need to updated to current versions before the patches are applied. Executives need to work with their information technology teams to ensure the problem is promptly addressed.
There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor’s guidelines to protect themselves and their organizations.
mind Jul 8
uhh, full disclosure maybe?
What is compromised? What are the attack vectors?
Sorry, “important … to immediately update their networks” doesn’t cut it. Should I kill named immediately? If I’m waiting for apt repositories? Or does this only allow arbitrary remapping of addresses, which isn’t as urgent given that anything important should be using tls.
john.jones.name Jul 8
well done for such a coordinated patch process
regards
John Jones
rmogull Jul 8
Dan will release the details at Black Hat- for now, port randomization will make exploitation impractical. That’s what most of the fixes are doing.
Shamgar Jul 8
Or you could just run djbdns which already randomizes ports.
windexh8er Jul 8
So, here’s my take. Dan’s find will spark much debate around the inherent suck of DNS today. Everyone will talk about it for a week (bloggers / podcasters start your engines) and then the inevitable… Nothing will happen. Sure, the vendors will scramble to patch. But, name resolution as a whole will continue to be insecure and craptastic. :)
I think I have a good idea of what’s up based on Rich’s comment. *sigh*
Matillo Jul 8
Anyone know if this is related to the recent ICANN/IANA DNS compromise?
windexh8er Jul 8
I have to call Rich on this one…
“Reverse engineering the vulnerability by looking at the patch will not be easy with this one,” he said.” — quoted from DR.
Really? I’m not so sure. Dan may be smart, but Tom Ptacek states the obvious that this isn’t a new threat. Maybe a new spin on an old flaw. But to say that there won’t be something on milw0rm in a few days would be betting against the odds I think. Maybe a tad zealous? I’d be willing to wager something on that at this point. There’s lots-o-smart black hats out there. I don’t think PoC code will be difficult — but that’s just my $0.02.
FUD? I’d say — not exactly. But maybe. :)
Marcin Jul 8
The advisory says more than enough information for anyone to understand how the attack works and anyone with the skills can come up with an exploit for it.
This is just another reason why we need DNSSEC.
tekhammer Jul 8
Dan didn’t find shit. He read RFC3383 (http://www.ietf.org/rfc/rfc3833.txt) which was released 4 years ago.
Duane Jul 8
DNSSec hasn’t done anything in 10 years, nor likely to in the next 10 years it’s just too complicated, not to mention needing to renew sigs all the time, and until the sigs time out, usually 30 days, people can run replay attacks on your data.
What we need is confidentiality as well as other aspects of cryptography, signing alone seems pointless and overly complicated to me, I’ve been drawing up an internet draft on this topic for other reasons, but it would solve so many.
http://www.e164.org/docs/draft-groth-dns-encryption-00.txt
rmogull Jul 8
tekhammer- that’s not it. Earlier work is involved, but this is new and thus necessitated the coordinated patch. Dan will release the info at Black Hat and you can evaluate it again then.
D.M. Jul 8
Microsoft let the cat out of the bag with MS08-020 - sorta predictable TXID numbers; there’s a really good article on phrack from not too long ago talking about attacks against tcp/ip ISN that are probably applicable to this.
I’m ignorant though - is this a dns cache poisoning issue or what? So you spoofed a TXID, what next?
rmogull Jul 8
Ya- cache poisoning, but a new exploit method. That’s my understanding.
Just About Jul 8
All this do me naught at home.
When guys that try to do everything more CANONICAL and STRICT by RFCs or trying to update the protocol or close the flaws in a tecnical way like Mr. D. J. Bernstein and others.. BIG DADS or BIG BINDS or BIG MICROSOFTS just think about money.
When Shits happens theydoo a MOVIE like script to put everyone in a afraid way and the Own ass in LIGHT.
Be sctrict in RFC’s dont use the BUGBIND and clones. So after that the FLAWS that already exist in DNS Protocol and other protocols last decades will impact your business in a soft way. Not in a MOVIE SCRIPT WAY.
What can i think if this guys done this in a MICROSOFT CAMPUS?
nothing.
Who know twhat they are speaking and what flaw (BUG) it is understand what iam speaking.
STOP BE SILLY, STOP USE THINGS DONE BY MONEY MAKERS..
START TO THINK LIKE A ENGINER, OR A NETWORK REAL DEVELOPER. THat all troubles come with the right kind of height and trouble..
This is a circus… a kidd, this news seems like a release of a new product than a REALLY CONCERT..
Just to keep everyone informed, In BRazil, last week, a ALL the TELEFONICA NETWORK ( put down a entyre state, and almost all internet conection, phone and cell phone), was one of most big TROUBLES a company have around globe,, ( look around this, Telefonica internet brazil). Just because thisMONEY MAKERS do this shits and news like that…
Jet Jul 8
Isn’t this is the same as the “BIND 9 DNS Cache Poisoning” at http://www.securiteam.com/securitynews/5VP0L0UM0A.html (July 2007 by Amit Klein)?
I believe the detail of this vulnerability will be almost the same.
Steve O Jul 8
Too bad Microsoft’s fix hoses ZoneAlarm. Well, if you can’t get on the Internet, you can’t get into trouble.
spaz Jul 8
He should have fully disclosed the details about the vulnerability. In a few days or so almost every blackhat with a brain will know about the vulnerability and exploit it. The victims would be left clueless wondering wtf happened and not knowing how to fix it, or even perhaps what happened because it was kept under wraps.
My 0.02, FWIW.
Othello Jul 9
Steve O,
ZoneAlarm at one time may have been a good product, but I’m sorry, it senselessly throttles back your connection, but maybe that’s because I use the free (cheap) one. Anyway, I digress; yes, there is a true potential for some real problems with this “new” hole in the DNS protocol. And yes, if we (developers) all stuck to the RFCs (or even just wrote decent, concise, optimized code) when writing new and inventive code, our world would be perfect. But let’s face it, developers are about as lazy as it gets these days, everyone thinks that hardware is pretty much free, and Execs. allow them to open up these “holes” via terrible decision making. I say, let’s get back to basics, do the right thing, and write the code the way you _know_ it should be, but I live in a perfect world .
Now the “secret” is out, let’s just get together and fix this nonsense (another $0.02 worth).
Oh, and “Just About”, when were RFCs about money? I understand that you are from Brazil (or so it seems) but why all the yelling?
cjk Jul 9
@”Shamgar”:
djbdns is said to use the kernel-level UDP port randomization — in case of Linux, the patch has gone into v2.6.24.
@”Just About”:
I agree. Far too many RFCs have far too many “SHOULD” or “MAY” and should (oops!) have much more stricter semantics; it’s either “MUST” or “MUST NOT” and deviations from the RFC (given that the RFC is actually sane) MUST be rejected.
Martyn Thomas Jul 9
If this is the patch released by MS today for Win XP, I lost DNS connectivity after installing it and rebooting. ipconfig looked OK. Net Diagnostics couldn’t trace the problem. I could talk to my network router and it could see the internet but nothing got through the whole path. A second reboot of the XP machine restored connectivity.
me Jul 9
http://doxpara.com/
Not Found
The requested URL /printme.html was not found on this server.
Dave J. Jul 9
Everyone using ZoneAlarm w/ the firewall set on High for the Internet Zone Security has been shut off the internet. The only fix is to set to a more vulnerable Medium setting or uninstall the MS patch. Most all seem to be uninstalling the MSKB951748 patch.
commenter Jul 9
I just read the comments here.
How come there’s so many arrogant blowhards on the internets?
爷爷 Jul 9
草你妈的,你就鸡巴装逼,
要么公布,要么啥也别说,
犊子
Avatar Jul 9
What about this post at the Internet Storm Center? Ian Green wrote about this in 2005 in his GSEC whitepaper.
JimBo Jul 9
This is Bollocks
fugdabug Jul 9
I don’t think it is that simple. This is an old problem, and there is more to the soup than the ’sky is falling’ approach. No I don’t think a ’scare’ is what we need. We need more people on computers that are aware of the ‘how it works’, and less of the ‘I wanna push the funny buttons-’ type of people. Which means a more educated community of users. WE ALSO NEED LESS MONOPOLY IN THE OS DEPT.! Everybody knows, over-specialization leads to extinction!
ds Jul 9
>>
WE ALSO NEED LESS MONOPOLY IN THE OS DEPT.! Everybody knows, over-specialization leads to extinction!
<<
The irony of this being posted in a message that speaks about the presence of the exploit in multiple vendor’s code. This isn’t a vendor created problem, it is inherent in the DNS protocol.
Allen Baranov Jul 9
Having read the comments and checked out the site mentioned in the blog I have the following theory:
1. I connect to vulnerable DNS Server and query my very own domain. I note what the UDP source port is.
2. I connect to the DNS Server again ASAP and query another of my very own domains. I note what that UDP source port is.
3. Assuming they are close together I do a query of “microsoft.com” or some such and send a UDP reply to the server with a bogus IP address. I could probably send 20 replies so that I get the correct port.
4. Cache is poisoned.
Am I missing anything?
d0t Jul 9
Allen Baranov <——- This guys on the right track ;)
I wish the “exploit” could have lasted longer :( *sigh*
d0t
Steve Pinkham Jul 9
Allen Baranov:
Yes.
There is a 16 bit nonce that you also don’t know, so you have to send an average of 2^16/2 = 32768 packets before the real response gets back.
At ~100 Bytes a packet, that’s 3MB you need to send out in .03-1 second or so before the DNS query response. If you can delay or drop the response, you’re golden.
The “birthday attack” discovered in 2002 drops the amount of traffic needed to be sent significantly, if the DNS server sends multiple queries for the same data from the same port.
It can take the 32768 responses for %50 chance of exploit down to 300, or 30KB or responses, and 20KB of requests(usually smaller). 50KB of traffic is nothing these days, and any resolver which is still vulnerable to the birthday attack can be owned without much fuss. Many of the servers have been patched against this for a long time now.
I have my slides from a talk I gave on DNS security and DNSSEC last year, which covers all this in more detail.
http://www.mavensecurity.com/documents/J9-DNS-Security-handouts-2008-02-17.pdf
I do wonder what if anything Dan has to add to the already known brokeness of DNS. Using multiple hosts to do the flooding? Been done. Special ordering of the packets for best results? Donno, but the sky was already falling before Dan opened his mouth, but now we get to talk about it anyway ;-)
The question is is anything going to get fixed this time around, or will we be living with broken DNS for another 10 years before we actually fix the real problem of 16bit nonce w/ possible 15-16 bit source port?
Steve Pinkham Jul 9
Great explanation of the problem here, showing differing size of secure nonces used in and out of DNS:
http://www.matasano.com/log/1089/dan-kaminsky-could-have-made-hundreds-of-thousands-of-dollars-with-this-dns-flaw/
Note DNS ID’s are WAY undersized..
Unfortunately 99% of our problems could be solved with a 128 bit or so DNS nonce, but instead of the simple fix we have an over-engineered DNSSEC standard that’s taken more then 10 years to get anywhere (and it’s still not widely deployed at all in the US).
Now don’t get me wrong, DNSSEC is the proper long term secure fix. However we should have had a “good enough” fix in the form of longer transaction ID 10 years ago which would solve everything but the man in the middle problem.
rsp Jul 9
Wouldn’t the existence and availability of the “DNS Checker” point to the nature of the vulnerability? Couldn’t someone snoop to see what it’s doing?
The Happy Space Invader Jul 9
所有您的DNS 屬於我們!
Steve Pinkham Jul 9
rsp: It’s checking to see if your DNS resolver uses query port randomization, and the range it uses.
The patches for bind turn on query port randomization by default, and allow a larger range of source ports.
What Dan seems to be claiming is that he has found a more efficient attack against the already known problems in DNS that takes it from “known broken” status to “broken by your grandma” status.
Whether that’s true or he’s just popularizing attacks the security world has known about for 5 years or more, we won’t know until next month.
WK Jul 9
Hello,
Very impressive coordination work… I guess we’re lucky the flaw has been found by a “good guy”.
When reading all resources from Dan Kaminsky’s blog (is it really a blog? regardless of the url typed, the same page comes up…), I understand that almost all dsl/home routers are also impacted… and won’t be fixed, I’m afraid. Am I right ?
Thanks,
wk
Steve Pinkham Jul 9
wk:
Probably home routers are vulnerable(if they run a caching resolver, recursive or not), but it’s probably not a problem.
The attack almost definitely requires the ability to force the resolver to create queries, and my guess is his new vulnerability creates many of them in a way that’s not obvious.
Forcing a single query is easy, but forcing many at an exact known time is very difficult, and I’m guessing that having someone on your home lan who could do that means you are already 0wned.
As far as we know and can guess, the vulnerability is primarily against shared caches at the business or ISP level. Unfortunately we don’t know much, and I could be very impressed in a month. ;-)
jj Jul 9
This update is well needed, but for the time and effort spent creating it, a warning dialog should have appeared before installing. AND IT SHOULD NOT LET IT BE DONE automatically! Unexperienced users surely freaked out when zone alarm wouldn’t let them connect to internet. And to whomever did figure out that changing security from high to medium in za would let them connect, bravo. But still, now my computer is forced to be not as secure…
X Jul 9
Maybe it’s this patch that’s the real malware. Maybe this is a scam to get people to download the patch and then BOOM!
WK Jul 9
Steve: thanks for the insight. I was assuming that the attack could come from the “outside”. Then, I’m wondering why single computers need to be patched: only because the “local” Name information could be corrupted or… because it is a key element of the weakness?
X: I had the same thought… just imagine that the attack already occurred, that I though I read the news on BBC but it wasn’t actually on bbc.co.uk, that my windows auto-update thought it connected to Microsoft update server but installed a malware instead of a real patch, in one word, the real is fake… enough to become schizophrenic !
blad3runn69 Jul 10
diabolical DNS batman, quic to the batcave…
Allen Baranov Jul 11
Steve,
Thanks for all the information provided, it was very interesting.
My understanding from what I’ve read of your information is that there are two protection mechanisms - source port and nonce.
Assuming that nonce can be taken out of the equation then it makes source port randomisation that much more important.
The question is - how has Dan Kaminsky managed to take nonce out of the equation?
Steve Pinkham Jul 11
Allen:
There’s really only 4 (known) ways to get better cache poisoning results:
1) Create more query traffic from the resolver
2) Create more bogus poisoning responses
3) Delay or force dropping of the real response packet from the authoritative server, giving more time to inject your poisoning responses.
4) Break the random number generator used to produce the XIDs
From the information we have and the need for source port randomization, I think scenario 3 is the most likely. Scenario 1 is also possible. Scenario 4 is unlikely given the cross platform nature of the claimed exploit, but BIND especially has been broken that way quite a few times in the past.
I have my own hunches about how to do this which I’ll be testing when I get a few spare cycles, but this post is the extent of the reverse engineering I’ll post publicly until Dan gets to talk about it next month. Let the black hats do their own work.
KiTT Jul 15
Dan has brought NOTHING new to the table. Simply made a name for himself by regurgitating the same old problems. YES DNS is a vulnerable protocol, it has been for 10 years. This is NOTHING new. Amit Klein talked about this exactly 1 year ago. Source port randomisation will sort things, so will better pseudo randomisation of the transaction IDs, ANY system admin could have told you this last year! Well done Dan, you are the prince of yesterday’s news.
WK Jul 15
@KiTT: ok, so there is nothing new. So nothing that all major providers (MS, Cisco, …) issued jointly an update/patch on July 8th. Too bad this guys are not clever as you are, the would have spared money by doing nothing.
Or, are they clever?
rmogull Jul 15
If you think this is all a silly game and Dan didn’t discover anything new, read this: http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
This is as serious as it gets folks.
Dean Anderson Jul 17
There is also another solution: Use DNS over TCP. It is much harder to spoof the TCP connection. TCP already contains a random 32bit segment ID, in addition to the 16 bit DNS nonce. While one can spoof TCP if one is able to intercept the packets (you have to be in the network path), it is almost impossible to spoof TCP if one isn’t in the network path.
Like many others, I’m also very dubious of the claim that one can’t figure out the exploit from examining the patches. People who have examined the patches seem to have a good idea of the exploit and TXID exploitation in UDP DNS was long known. This exploit was why DJBDNS uses random ports. We’ll just have to wait and see how credible that claim was when the exploit is described at blackhat. Have fun.
–Dean
rmogull Jul 17
I’ve been watching what people are saying they’ve been able to figure out. So far, I think all of them will still learn from Dan’s presentation.
Mark Jul 26
I submitted a report to US CERT on 2 Feb 08 ~0310pm entitled:
“Possible undetectable/cleanable ‘Phishing-ware’ on Win ME” which described the symptoms of the problem as an end user. US CERT confirmed receipt of the email which I read around 11:00 pm that night.
My email described how one company in particular (revealed on the browser) was redirecting the website address to their own ‘lookalike’ website which apparently linked to their clients merchandising website links. This redirection was also discussed on one or two other message boards which I believe I made mention of to US CERT. The other boards also mention this same company. This company was not found under easywhois.com etc - thus revealing some hanky panky.
So I disagree that those with malicious intent where not already aware of and using this hack to make their merchandising clients receive stolen traffic from the original website I was trying to reach. Since I recalled what the actual intended website should look like and what I actually saw instead I knew that some hack was involved, which others had also detected as end-users and were chatting about on the internet. US CERT should have a copy of this email that I had sent. My copy has been corrupted by a bad HD sector.
In any case, I think that Dan ‘did a good thing’ but I think he should clarify what he’s claiming when he uses the phrase ‘my bug’ in his blog.
I sent my incident report to US CERT ASAP because I realized the scope of impact it could mean for hackers targeting online banking phishing targets etc and said so in my incident report to incident. The company involved appeared to have just restricted their malicous use of the hack to merely redirecting buyers to their client listing of websites. Also a discussion thread on a forum about this was ‘closed’ prematurely — thus suggesting that the offending company discovered it and interdicted it (well -as one possibility in the world of conspiracies.) Anyway, I’m glad it only took a mere 5 months or so to ‘deep six’ those assh*les and their apparently ‘expert level’ hack.
Cheers, Mark
Mark Jul 26
I submitted a report to US CERT on 2 Feb 08 ~0310pm entitled:
“Possible undetectable/cleanable ‘Phishing-ware’ on Win ME” which described the symptoms of the problem as an end user. US CERT confirmed receipt of the email which I read around 11:00 pm that night.
My email described how one company in particular (revealed on the browser) was redirecting the website address to their own ‘lookalike’ website which apparently linked to their clients merchandising website links. This redirection was also discussed on one or two other message boards which I believe I made mention of to US CERT. The other boards also mention this same company. This company was not found under easywhois.com etc - thus revealing yet another ‘rat on the loose’ in internet land. Though you could go to their actual website and read their pitch about how good they were at bringing traffic to ‘your website’. So they were soliciting new clients who wanted to boost their web traffic.
So I disagree that those with malicious intent where not already aware of and using this hack to make their merchandising clients receive stolen traffic from the original website I was trying to reach (which only sold one product). Since I recalled what the actual intended website should look like and what I actually saw instead I knew that some hack was involved, which others had also detected as end-users and were chatting about on the internet. US CERT should have a copy of this emailed incident report that I had sent. (My copy has been corrupted by a bad HD sector).
In any case, I think that Dan ‘did a good thing’ but I think he should clarify what he’s claiming when he uses the phrase ‘my bug’ in his blog. Certainly end-users were discussing it a bit on some blog sites and my incident report went in on 2 Feb though this bug was operational for probably a year or more before that (that I’m aware of). The company doing the redirecting was bragging about how they have some inside knowledge about how the internet works and how they could bring more traffic into their clients websites (hope they told their clients that - yeah - they were boosting the traffic intended for somebody else’s website). I identified the company (by name as I recall) to US CERT as ‘malicious’.
I sent my incident report to US CERT ASAP because I realized the scope of impact it could mean for hackers targeting online banking phishing targets etc and said so in my incident report. The company involved appeared to have just restricted their malicious use of the hack to merely redirecting buyers to their client listing of websites. Also a discussion thread on a forum about this was ‘closed’ prematurely — thus suggesting that the offending company discovered it and interdicted it (well -as one possibility in the world of conspiracies goes anyway:)
Anyway, I’m glad it only took a mere 5 months or so to ‘deep six’ their apparently ‘expert level’ hack.
The company involved should have it’s records examined to see to what extent if any they used the same approach to boost passwords, credit card nos. etc. for online banking and so on.
When their’s a Way, it sometimes creates the Will (through temptation).
Regards,
Mark
Mark Jul 26
LOL - Whoops — looks like my more ‘riotous’ DRAFT version also got sent first. Well it is late -heh. Also a Correction — the company was found on ‘WHOIS’ but did not show up in the firewall records.
Anyway, here’s an excerpt of the US CERT incident report (I found a ‘good’ copy of it):
To : cert@cert.org
Subject : Possible undetectable/cleanable ‘Phishing-ware’ on Win ME
Date : Sat, Feb 02, 2008 03:03 PM
Please describe the vulnerability.
- ———————————-
When inputting a particular website, my Firefox (Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11) browser’s final destination appears
to get highjacked and redirected by something starting with:
searchportal.information.com (which is not found in the traffic log of Sygate Personal Firewall 5.6 -build 2808)
(which cycles through these other websites too:ads.kw.revenue.net ,spi.domainsponsor.com, ads1.revenue.net, as.casalemedia.com which DO appear in the traffic log.)
The website appears to use “buzz words” from the original website but these are linked to what looks like other general internet business websites which are selling various products. So in a way, this represents a form of a Phishing type website in that the “new website” appears to try and keep some semblance of the “real website”. IOWs - it appears to be a lame knockoff or cheap imitation of the original website.
It may be true that maybe the original website went offline and this leach highjacking software created a pale knock-off using similar buzzwords for marketing purposes.
However, researching this on the net (search engine
keyword:”searchportal.information.com”)shows that a guy could reach the real original website from his home computer but got this hijacked version (cheap knockoff) of a website from his work computer (which also flashes: “searchportal.information.com”). Thus this indicates that there was a local infection with some type of “phishing”-type malware on his work computer.
A “whois” backtrace of the “cheap knockoff” website is owned by:
OrgName: Oversee.net
OrgID: OVERS-1
Address: 515 S. Flower St
Address: Suite 4400
City: Los Angeles
StateProv: CA
PostalCode: 90071
Country: US
NetRange: 208.73.208.0 - 208.73.215.255
This may be a legitimate business however their software may be being compromised by hackers/crackers and used for “phishing” or directing “sales” (to particular businesses) purposes on the infected computer. (BTW, avg 7.5 failed to locate and remove this malware.)
What is the impact of this vulnerability?
- —————————————–
(For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.)
a) What is the specific impact:
Possibly hackers/crackers can detect the presence of this malware and then rewrite sections of it to impersonate say a Bank’s website and then proceed to PHISH for
passwords, Identity Info. etc OR of less severity, can get you to buy stuff from their set of ‘almost lookalike or using the same buzzwords’ online vendors instead of other ones you
might find by search engine etc.
b) How would you envision it being used in an attack scenario:
Just guessing, but hacker/cracker somehow breaks into your computer and searches the ‘master filenames list’ or whatever to look for the telltale malware code (maybe searching
for phrase: “searchportal.information.com”). It then copies over it or rewrites a section of the executable with a new executable part which creates a lookalike BANKING
or other targeted website and then PHISHES for passwords and identity info. from the punked victim to be later used to clean out their bank account (or whatever). A lesser
crime would be to create a redirect so that customers think they are buying from Macy’s (or whatever) and are really buying from a ‘cheap knockoff’ lookalike and actually receive
merchandise but never know that they actually bought from somebody who hijacked the real Macy’s (or whatever’s) business (volume) website.
To your knowledge is the vulnerability currently being exploited?
- —————————————————————–
[yes/no]
Well right now, there are two websites I happened to visit that have about the same look and feel and this alerted me that maybe some type of template “lookalike”
website builder was in operation. This is when I paid attention to the browser and noticed this searchportal.information.com in operation (but which does not show up in the traffic log report and is missed by ad-aware and avg 7.5.) So, yes, it is operational on my computer and I can’t get rid of it. (If it were not for the internet discussion on work/home computer differences I might have thot that both of the original websites had gone down - but now I suspect I’m just being redirected to these other ‘business
websites’.
If there is an exploitation script available, please include it here.
- ———————————————————————
Dunno if there is one.
Do you know what systems and/or configurations are vulnerable?
- ————————————————————–
[yes/no] (If yes, please list them below)
Yes - For one
System : HP Pavilion
OS version : MS Windows ME
Verified/Guessed: Verified
Are you aware of any workarounds and/or fixes for this vulnerability?
- ———————————————————————
[yes/no] (If you have a workaround or are aware of patches
please include the information here.)
My internet search engine results turned up some verbiage on “How to” / deleting this pest but I could not find the fix as of yet. Let me know by email if you find a way
to delete this malware.
OTHER INFORMATION
===========================================================================
Is there anything else you would like to tell us?
The company, Oversee.net, (shown above) may have a legitimate software usage however, the possibility of encoding which websites get mapped to which ‘knockoff’ websites should be
controlled by the computer user and not some other unknown party of agent including any possible hackers and crackers who may discover that ad-aware and anti-virus software
misses detecting it (which thus presents a possible opportunity for exploiting it).
=====================================
(OK - so you can you NOW flame me for not knowing about “DNS poisoning” (where the hack takes place at the DNS server and for still using a WIN ME system). LOL. Apparently the home/work differences is due to different DNS servers being accessed (?)).
I hope this post provides some backstory details and maybe others who have had this hack going on will also post the details (since the cat is now out of the bag).
Dragon Jul 29
The workaround is opendns.com. I’ve already put this in place at home and I’ve been passing this on.
Mark Aug 1
(Phishtank.com submission) Update and Clarification on above posts regarding http://www.information.com (aka ’searchportal.information.com’):
Two Websites (www.elfrad.com and http://www.get113to138mpg.com) formerly accessed more than a year ago (from July 2008) now have zero subtantitive content and have both changed
appearance to the ’same look and feel’ and merely have (previous website ‘buzzword’) links affiliated with the company below (found by entering ’searchportal.information.com’into http://www.easywhois.com):
OrgName: Oversee.net
OrgID: OVERS-1
Address: 515 S. Flower St
Address: Suite 4400
City: Los Angeles
StateProv: CA
PostalCode: 90071
Country: US
NetRange: 208.73.208.0 - 208.73.215.255
The website appears to use “buzz words” from the original website but these are linked to what looks like other general internet business websites which are selling various products through the above company (ip addresses). So in a way, this represents a form of a ‘Phishing type’ website in that the “new website” appears to try and keep some semblance of the “actual or real website”. IOWs - it appears to be a lame knockoff or cheap imitation of the original website and the subject content and discussion has been removed. This could fool a new visitor whom was unfamiliar with the original
website.
Also, researching this on the net (search engine keyword:”searchportal.information.com”) shows that one guy could reach the real original website from his home computer but got this hijacked version (cheap knockoff) of a website from his work computer (which also flashes: “searchportal.information.com”). So this suggests a ‘DNS poisoning’ type event however this may be negated by the domain registration showing that Oversee.net now owns
the website name(s).
What appears to have happened is that the original websites have gone offline (or were abandoned by their owners?) and http://www.information.com (either purchased the domain names or
acquired them through ‘other means’ — whatever) and then proceeded to use similar buzzwords to the original content of the site to create links to their clients for
selling merchandise. In this sense it is Deceptive as a casual new visitor (whom had never seen the old websites) may have thought that the ‘original’ site looked like this
when in fact it did not. In my mind this represents a deception and is worthy of blocking. However, the offending company may argue that they are just being clever in
taking over abandoned website names/domains and shouldn’t be penalized for this deceptive approach by being ‘blocked as a phishing site’.
I say ‘block’ the shyst*rs! If they can’t get website visitors and new web traffic without using deceptive means and practices then what else are they doing that is ‘bad’?
Also the home/work computer differences situation discussed on the internet (and above) about this same company remains unresolved and suggest DNS poisoning in one location but
not in another server (for either the home or work DNS server). All the more reason to block them as a phishing site, IMO.
Also recently another version of ’searchportal.information.com’ was flashing on my
browser when accessing the knockoff sites — something like ’srws.information.com’ (but I’m not sure). This suggests that the company has detected itself being blocked now (by others) and they are attempting to circumvent this by using a new address/name.
I hope this report is useful to others and even-handed enough such that others may come to their own conclusions as to whether or not to block this company and it’s IP addy
range (using their firewall). In my book — deception is deception — and if a company used that to ensnare you
as an audience to a website then what else are they hiding (up their sleeves)?
Another question is: “What other website names have they scooped up — (and maybe affiliated with or sounding like ‘big businesses’ like banks etc.?” All the more reason to play it safe and ‘block’ them (or check into them further), IMO.
I hope you understand the situation with this company (and treat them like a phishing party).
At http://www.information.com under the ‘About information.com’ tab it says: “…They focused on driving search-based traffic to advertisers while generating additional revenue streams for small to medium web sites. Using their knowledge of search technology, ______ and ______ understood that quality Internet traffic would form Oversee’s foundation….”
Well, now we know how they do it — they reroute traffic from ‘old’ websites by replacing them with ‘pale lookalikes’ using similar buzzwords from the original wesbites and then reroute that traffic to their clients. Nice scheme while it lasted!
‘Game Over’ for you shyst*rs. Try getting your traffic using Honest approaches from now on.
Regards,
mark
2ach Aug 7
lol@haters
“Few people can be happy unless they hate some other person, nation, or creed.” - Bertrand Russel
the reason Dan didnt immediately spill all about the bug he found is that he didnt want the bad guys out there scrambling on their feet looking to bite on the opportunity.he waited for the patch for the bug released and then give out the whole story.
read again the article provided on rmogull’s comment if haters still mad at him.
jhon Aug 17
Actual topic. Writing is worthy of attention.