DNS can be abused in several ways to spread malware. Attackers can hijack or poison DNS on multiple levels, including end users, routers, and DNS servers. DNS was not originally designed with security in mind, so it has vulnerabilities that can be exploited. Real-world examples demonstrate how malware has abused DNS to redirect users to malicious sites and infect other devices on local networks. Improving DNS security and default device configurations can help mitigate these risks.
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev
1. Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware
From router to end-user
Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab
CNCERT/CC 2011 Annual Conference
3. What is DNS?
DNS – Domain Name System
DNS translates domain names
meaningful to humans into the
numerical identifiers associated
with networking equipment for
the purpose of locating and
addressing these devicesaddressing these devices
worldwide
DNS is a "phone book"
for the Internet
Examples:
kaspersky.com -> 91.103.64.6
google.com -> 209.85.149.104
4. Why can DNS be abused?
• Technical side
• Open, distributed design
• Lots of nodes
• Everybody can start one
• Usage of User Datagram Protocol (UDP)
• Unreliable (no concept of acknowledgment, retransmission or timeout)
• Not ordered (if two messages are sent to the same recipient, the order in which they
arrive cannot be predicted)arrive cannot be predicted)
• Human factor
• Not well-qualified network administrators
• Network security holes
• Default hardware configurations
• etc.
• End-users themselves
• The most easy object to abuse!
5. How can DNS be abused?How can DNS be abused?
Real-world examples
6. How can DNS be abused?
Instead of going into cool theoretical stuff about techniques of exploiting
DNS itself, I would rather show some real-world examples of attacks and
malicious programs related to DNS.
7. Abusing DNS
Simple example: changing user’s DNS settings using ‘hosts’ file
That’s how normal ‘hosts’ file looks like
And that’s an infected example
8. Abusing DNS
Simple example: changing user’s DNS settings using relocated ‘hosts’ file
That’s where ‘hosts’ file should be located
But it can be relocated and infected
And original ‘hosts’ file remains unchanged
9. Abusing DNS
Simple example: changing user’s DNS settings using network registry settings
That’s how ‘NameServer’ option should look like
But it can be manually changed..But it can be manually changed..
And immediately updated
10. Abusing DNS
More advanced example: Rorpian case
• First of all, malware gets on user’s PC via removable media
• Then, the magic begins
• Malware configures user’s system as DHCP server and starts listening to the
local network
• If the system is already infected, manually sets the DNS server to Google’s
one (8.8.8.8)
• When a DHCP request from another computer arrives, malicious DHCP
Malware infection from any visited resource!
• When a DHCP request from another computer arrives, malicious DHCP
server attempts to answer before official one
• If the attempt was successful, another computer’s DNS will be changed to malicious
one
• Which leads to..
11. Abusing DNS
More high-level threat: hacking the routers
• Main security issues
• weak default passwords or no password change enforcement
• insecure default configuration
• firmware vulnerabilities & services implementation errors
• lack of awareness
12. Abusing DNS
How to hack million of routers?
Overhyped?
PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011
Not at all.
16. Abusing DNS
Even more high-level threat: hacking the DNS servers
PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
17. Abusing DNS
Last example: mysterious google-analytics.com case
• Several months ago by Kaspersky Security Network (KSN) we received tons of
notifications of javascript Iframer malware planted on http://google-
analytics.com/ga.js
• ga.js downloaded from google-analytics.com was clean
• But when we got some file from users.. It was infected!
It seems like something is wrong with the local DNS
• First version redirects user to domain name quehduid.com, which wasn’t even
registered!
• But still, we received notifications about exploits downloaded using this domain
• Analyzed tons of malware which could be connected to this case
• Found nothing common to DNS poisoning/hijacking
• But found some interesting geographic pattern between versions
It seems like something is wrong with the local DNS
in these countries, isn’t it?
19. Conclusions
Summing it up
• DNS can be is hijacked/poisoned on every layer of network organization
structure
• Users
• Routers
• DNS servers
• DNS was not originally designed with security in mind
• Thus has number of security issues• Thus has number of security issues
• There are some technical things that can make it more secure
• Domain Name System Security Extensions (DNSSEC) - cryptographically signed
responses
• OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad
IPs, stops bots from 'phoning home'
• Google Public DNS - basic validity checking, adding entropy to requests, removing
duplicate queries, rate-limiting queries
20. Conclusions
Summing it up
• From user side, more things can be done
• Again and again, strong passwords
• Hardening default hardware settings
• Systematic updates of both firmware and software
• Remote control through VPN
• From hardware vendors side
• Unique default passwords for devices
• Secure default settings (disable or limit remote access!)
• Emphasis on firmware security
• From security vendors side
• Miscellaneous checking for security (passwords, default settings,
vulnerabilities etc.)
• Inform user on possible security holes
