Hackers start DNS attacks, researcher says

They're using an unknown exploit, says HD Moore, who posted different attack code last week.

Hackers are now actively exploiting a critical flaw in the Domain Name System, but they're not using any of the already known exploits, said a researcher who crafted the first attack code to go public.

"We're seeing an entirely new technique," said HD Moore, the creator of the Metasploit penetration testing framework, who with a hacker identified as "I)ruid," published exploits last week for the vulnerability in the Internet's routing system.

Late yesterday, Moore reported that he had found a compromised DNS server operated by AT&T when employees at his company, BreakingPoint Systems, realized that they were being shunted to a bogus version of google.com. Since then, he said today, he's heard from others who also reported redirects from hacked DNS servers. "They're saying'we've seen the same thing,' so now we're trying to figure out if we're seeing attacks on a wide scale or not."

Moore said the exploit that successfully attacked the AT&T server was not the same as the Metasploit attack code that he and I)ruid wrote, nor were any of the other public exploits. "It didn't have the signature of any of the public exploits," Moore said. "For example, the Metasploit code will either add an un-cached'A' record or replace all'NS' records with a malicious server. In this case, it seems like the attack replaced the address of the CNAME entry for www.1.google.com, which is something I have not seen before."

Moore said he and others were trying to figure out where the exploit originated. "We're curious. It's not based on our code, so is there some kind of phishing kit out there that includes it?"

The compromised AT&T server was taken offline yesterday, Moore said, after he contacted BreakingPoint's ISP.

"The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact," Moore said in a long post to the Metasploit blog Tuesday night. The attack, which seemed designed to generate ad revenue by steering users to the fake Google page -- which had ads hidden inside several IFRAMES -- was, said Moore, "a five minute annoyance" and little more.

To add to the problem of in-the-wild exploits, Moore said he suspects that far fewer systems have been patched than most reports have indicated. Saying that this was where he differed from Dan Kaminsky, the researcher who uncovered the flaw in February and helped coordinate a multi-vendor patch effort earlier this month, Moore said test results he had seen showed that approximately 75 percent of DNS servers have not been patched.

Of all DNS servers running software other than Microsoft's Windows, more like 90 percent are unpatched, he added.

Kaminsky, using data from sources that include an online testing tool on his Web site, has estimated that only about 52 percent of the Internet's DNS servers remained unpatched as of last Saturday.

Yesterday, after reporting the compromised AT&T DNS server, Moore got his hands on a list of other regional AT&T DNS servers, then queried them to see if they had been patched. "Of the 19 servers still online, 12 of them are still using static source ports, and each of these can be reached by anyone on the Internet," Moore said. He added that he hoped to do additional testing using a random sampling of a list of 516,000 DNS servers to get a clearer idea of how much progress had been made in plugging the DNS hole.

Moore said he wondered if administrators may be waiting for an update to BIND (Berkeley Internet Name Domain), the most commonly used DNS software. On Monday, Paul Vixie, who heads the nonprofit group that's responsible for BIND, said a second-round update would be released later this week to fix performance issues in the original July 8 patch.

It's also possible, Moore said, that administrators have been less likely to patch BIND-based servers because, unlike Windows, BIND lacks an automatic update mechanism.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?