As Dan Kaminsky recently demonstrated at the Black Hat conference in Las Vegas, the DNS security flaw presents a serious vulnerability.  In case there was previously any doubt, he showed just how dangerous to internal networks and the internet at large it is to run un-patched DNS servers.  Even with the patch, the exploit is still possible, just extremely difficult.

The vulnerabilities are not limited to the web, but affect every type of internet service and traffic, including IM, telnet, email, and usenet.  Every protocol uses DNS servers to locate and communicate with between servers and client computers.  Even HTTPS (web sites using SSL – Secure Sockets Layer) would be affected because the Certificate Authorities who authenticate the certificates rely on DNS.  Note that all major CAs have patched their DNS servers, but of course many sites use self-signed certificates.

Some services have already fallen prey to this exploit, with AT&T being the first publicized victim.  Actually, the victims were the people whose requests were directed to a bogus Google search site because of an un-patched AT&T DNS server.  Fortunately, the bogus site only hosted code to auto-click the adsense advertisements, creating extra revenue for the perpetrators.  It could have been worse, if for example the site had been created to infect visitors with drive-by infections or inducements to download crimeware.

The picture is not completely bleak.  Thanks in part to Kaminsky’s presentation, more organizations are taking the threat seriously and patching their servers.  Also, any SSH-based connections which had been made at least once prior to the exploit would warn users if new connection attempts were made to bogus sites, because of the way SSH keeps digital fingerprints of remote hosts.  So Secure Shell, sftp, scp, and SSH-based VPNs would at least warn users about the change in fingerprints, or deny the connection altogether, depending on the local configuration.

For anyone wishing to know whether or not the DNS server he or she is using has been patched, Dan has published an online DNS checker on his blog at http://www.doxpara.com/.

Tags: AT&T, Black Hat, DNS, Exploit, Information Security, Kaminsky, Vulnerability

Author: Christopher

Adobe is reporting an unusually high number of social networking sites hosting fake Adobe Flash installations.  These installations are installing malicious software on to your computer.   Like all software installs, it is highly recommended you verify the URL before accepting a download and making sure your antivirus protection is up to date and active.

Tags: Adobe, Adobe Flash, Flash, malicious software, Malware, Virus Protection

Author: Christopher

Throughout July the majority (76%) of all malware identified fell into the Trojan category. Of the 20,704 unique malware findings in July, 20,000 of them were found in the wild.

1	Trojan.Win32.DNSChanger.ech
2	Trojan-Downloader.WMA.Wimad.n
3	Trojan.Win32.Monderb.gen
4	Trojan.Win32.Monder.gen
5	not-a-virus:AdWare.Win32.HotBar.ck
6	Trojan.Win32.Monderc.gen
7	not-a-virus:AdWare.Win32.Shopper.v
8	not-a-virus:AdTool.Win32.MyWebSearch.bm
9	Trojan.Win32.Agent.abt
10	Worm.VBS.Autorun.r
11	Trojan.Win32.Agent.rzw
12	Trojan-Downloader.Win32.CWS.fc
13	not-a-virus:AdWare.Win32.Mostofate.cx
14	Trojan-Downloader.JS.Agent.bi
15	Trojan-Downloader.Win32.Agent.xvu
16	not-a-virus:AdWare.Win32.BHO.ca
17	Trojan.Win32.Agent.sav
18	Trojan-Downloader.Win32.Obitel.a
19	Trojan.Win32.Chifrax.a
20	Trojan.Win32.Agent.tfc

Source: Kaspersky Lab

Tags: malicious software, Malware, Trojan, Trojans, virus

Author: Christopher

Three publicly available DNS exploits are available that exploit the recent DNS vulnerabilities brought to light by Dan Kaminsky.  These exploits have been downloaded over 15,000 times, although we have no idea how many of these downloads are being used maliciously.

Multiple major ISP still have not patched and remain vulnerable.   Even if your organization patches for this vulnerability, you business may still be at risk if your upstream provider has not.  If you have not checked your exposure from your organization and your service provide, I highly suggest you doing this now.

Tags: DNS Cache Poisoning, Exploits, In the wild, Vulnerablities

Author: Christopher

There are currently known vulnerabilities with DNS servers across all implementations.  These vulnerabilities are not vendor specific, in fact all DNS distributions are vulnerable.  I recommend all organizations develop an action plan immediately to identify and patch all DNS servers, applications, and clients on all networks in your control.

These vulnerabilities expose vulnerable DNS servers to DNS cache poisoning, this potentially can effect proper email delivery and what website you actually visit when entering a URL into a browser.

DNS specifically calls for 16 bit transaction ID field, which would require 32,768 “guesses” to predict the ID.  Many implementations use a smaller number of bits, and thus would require considerably fewer guesses.

US-CERT has an excellent write up on this vulnerability here.

You can find patch specifics for Microsoft here.

If you are running BIND 8, there is currently no solution and no plans to fix this problem for this platform, it is highly recommended to immediately look at upgrading to BIND 9.

If you only apply one patch in 2008, this should be it!

If you are using DNS from your ISP, you may still be vulnerable!

To assist organizations in containing this issue, I put together a few actions steps to get everyone on track.

1. Identify all DNS servers on your network and any networks you are responsible for.  To be sure, you may want to run a port scan for anything listening on UDP port 53.
2. Identify vendors responsible for each and every DNS server found from step 1.
3. Refer to US-Cert for links to each vendor to the appropriate patch documentation.
4. Patch all Servers.
5. Repeat for all DNS Clients, although these patches are more focused on DNS Servers.

It is highly recommended all servers be patched before the Black Hat convention on August 6th when more information will be disclosed.

UPDATE:

You can check your upstream DNS Servers here:
http://www.doxpara.com/

Tags: BIND, DNS, DNS Cache Poisoning, US-CERT, VU#800113, Vulnerabilities, Vulnerability

Author: Christopher

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.

Tags: Backscatter, Information Security, Spam

Author: Christopher