Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareFrom router to end-user

Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab

CNCERT/CC 2011 Annual Conference

What is DNS?What is DNS?And why can it be abused?

What is DNS?

DNS – Domain Name System

DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices addressing these devices worldwide

DNS is a "phone book" for the Internet

Examples:kaspersky.com -> 91.103.64.6google.com -> 209.85.149.104

Why can DNS be abused?

• Technical side

• Open, distributed design

• Lots of nodes• Everybody can start one

• Usage of User Datagram Protocol (UDP)

• Unreliable (no concept of acknowledgment, retransmission or timeout)• Not ordered (if two messages are sent to the same recipient, the order in which they

arrive cannot be predicted)arrive cannot be predicted)

• Human factor

• Not well-qualified network administrators

• Network security holes• Default hardware configurations• etc.

• End-users themselves

• The most easy object to abuse!

How can DNS be abused?How can DNS be abused?Real-world examples

How can DNS be abused?

Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and

malicious programs related to DNS.

Abusing DNSSimple example: changing user’s DNS settings using ‘hosts’ file

That’s how normal ‘hosts’ file looks like

And that’s an infected example

Abusing DNSSimple example: changing user’s DNS settings using relocated ‘hosts’ file

That’s where ‘hosts’ file should be located

But it can be relocated and infected

And original ‘hosts’ file remains unchanged

Abusing DNSSimple example: changing user’s DNS settings using network registry settings

That’s how ‘NameServer’ option should look like

But it can be manually changed..But it can be manually changed..

And immediately updated

Abusing DNSMore advanced example: Rorpian case

• First of all, malware gets on user’s PC via removable media

• Then, the magic begins

• Malware configures user’s system as DHCP server and starts listening to the local network

• If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8)

• When a DHCP request from another computer arrives, malicious DHCP

Malware infection from any visited resource!

• When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one

• If the attempt was successful, another computer’s DNS will be changed to malicious one

• Which leads to..

Abusing DNSMore high-level threat: hacking the routers

• Main security issues

• weak default passwords or no password change enforcement

• insecure default configuration

• firmware vulnerabilities & services implementation errors

• lack of awareness

Abusing DNSHow to hack million of routers?

Overhyped?

PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011

Not at all.

Abusing DNSExample: 2Wire case

Abusing DNSExample: D-Link & Tsunami case

Malware goes even inside the router itself!Malware goes even inside the router itself!

Abusing DNSExamples: it’s only the beginning

Abusing DNSEven more high-level threat: hacking the DNS server s

PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011

Abusing DNSLast example: mysterious google-analytics.com case

• Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google-analytics.com/ga.js

• ga.js downloaded from google-analytics.com was clean

• But when we got some file from users.. It was infected!

It seems like something is wrong with the local DNS

• First version redirects user to domain name quehduid.com, which wasn’t even registered!

• But still, we received notifications about exploits downloaded using this domain

• Analyzed tons of malware which could be connected to this case

• Found nothing common to DNS poisoning/hijacking

• But found some interesting geographic pattern between versions

It seems like something is wrong with the local DNS in these countries, isn’t it?

ConclusionsConclusions

ConclusionsSumming it up

• DNS can be is hijacked/poisoned on every layer of network organization structure

• Users

• Routers

• DNS servers

• DNS was not originally designed with security in mind

• Thus has number of security issues• Thus has number of security issues

• There are some technical things that can make it more secure

• Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses

• OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home'

• Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries

ConclusionsSumming it up

• From user side, more things can be done

• Again and again, strong passwords

• Hardening default hardware settings

• Systematic updates of both firmware and software

• Remote control through VPN

• From hardware vendors side

• Unique default passwords for devices

• Secure default settings (disable or limit remote access!)

• Emphasis on firmware security

• From security vendors side

• Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.)

• Inform user on possible security holes

Thank YouThank You

Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky LabCNCERT/CC 2011 Annual Conference