Avast WEBforum
Other => General Topics => Topic started by: polonus on July 22, 2008, 10:48:31 PM
-
Hi malware fighters,
For the second time now a very dangerous DNS flaw has been published by a security firm, before an official presentation on a coming Blackhat Conference. The man who found it Dan Kaminsky could not do much. The info on the site was taken down, but when the cat is out of the bag (they found the search engine cached info): http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html it is difficult to get it back in. So everyone update DNS and watch your kernels,
So, is it really THAT bad? Well, yes. Basically, Dan figured out how to poison ANY DNS servers cache. The end result - people using the DNS server will think they are at Paypal, but are really at evilguy.com.
Hope for the big general patch now to come soon....
The patch consists of randomly generating the source port and couple this to the TXID to minimize the chance to get a correctly spoofed reply.
Another way is to run your own private recursive DNS server without forwarders to make these kind of assaults impossible.
polonus
-
Thanks for posting this polonus! Very scary to know that this works on any DNS server. Good reading indeed.
-
Very informative as always, thanks polonus.
-
You can protect yourself by setting yourself to OpenDNS (http://opendns.com/).
This can affect you no matter what computer or operating system you’re using, and no matter what ISP you may have.
If you connect to the Internet, you need to have DNS servers. Your computer needs to know how to match an IP address with a domain name.
Me worry ??? NO, I've been using and promoting OpenDNS (http://opendns.com/) for a long time as you can tell from
the following informative link:
http://forum.avast.com/index.php?topic=16849.msg185494#msg185494 (http://forum.avast.com/index.php?topic=16849.msg185494#msg185494)
-
Hello malware fighters,
Polonus would not be polonus, if he did not offer you a site to test your current DNS.
Do it, go here and click and test your DNS Resolvers at: https://www.dns-oarc.net/oarc/services/dnsentropy
Everything GREAT for ye?
polonus
-
Hi Polonus
Yep, all Great.
-
Hi Damien,
Everything here gets reported as "Great" but remember, I use OpenDNS (http://opendns.com/). :),
so I didn't expect anything less.
-
Source Port Randomness: POOR
Transaction ID Randomness: GREAT
Is this bad ?
-
I got Great and Great
so I think I would inquire about Great and Poor
-
Hi micky77,
Your resolver's randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.
If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is "VU#800113 Multiple DNS implementations vulnerable to cache poisioning".
"For those not listening, we can infect a name server in 11 seconds now, which was never true before",
polonus
-
On my pc with OpenDNS , GREAT and GREAT, on my pc with my ISP DNS, Source Port Randomness: POOR, Transaction ID Randomness: GREAT.
-
Hi malware fighters,
Just a link to another online DNS checker: http://www.doxpara.com/?p=1176
pol
-
Attacks begin on net address flaw
Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.
http://news.bbc.co.uk/1/hi/technology/7525206.stm (http://news.bbc.co.uk/1/hi/technology/7525206.stm)
-
Hi micky77,
Your resolver's randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.
If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is "VU#800113 Multiple DNS implementations vulnerable to cache poisioning".
"For those not listening, we can infect a name server in 11 seconds now, which was never true before",
polonus
Thanks very much Pol,I will take your advice, if I get no joy, I will try Bobs Open DNS ( Thanks Bob )
I tried the Doxpara check, and it said,
Your name server, , may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 129.
-
Also use OpenDNS like Bob has mentioned :)
And Damian on this like you posted above https://www.dns-oarc.net/oarc/services/dnsentropy
All the tests came out GREAT :)
1. 208.67.217.4 (bld1.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
2. 208.67.217.17 (bld7.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
as seen below..........
-
Hi Dan,
I agree with bob3160 and you that DNS is broken(ish) at the moment, and the exploit was already out in the open after Dan Bernstein published about the gigantic flaw Dan Kaminsky found. In IE you can set your browser to use reliable DNS name servers, you can even set the specific url to a specific domain name in your hosftile. OpenDNS can be a good option, never saw a hassle for people that used it.
But again folks, this affair is huge and hanging over us, because the actual exploit code is out on the web (CAU), also for the client side. Getting back to Dan Kaminsky's and his efforts. He was also able to convince Yahoo to publicly ditch an unpatchable system (BIND 8). Yahoo are the world’s biggest user of BIND 8 so this is a massive undertaking and highlights the seriousness of the issue.
Anyways all our webforum users have been alerted here to this issue, can check or ask their ISP to fully patch or implement a reliable DNS service themselves, you have no excuse anymore to delay..
polonus
-
thanks for the update and info damian as always :)
you know what that bottle is of ;D
-
Hi Dan,
Well I think there is more to follow, OpenDNS sure is an option, one could also choose to use the Minnesota University DNS servers, anything below the latest Bind 9 is vulnerable, and cannot be used any longer. With the check on Dan Kaminsky's site, you can get a result like: "Your name server, at A.B.C.D., appears to be safe, but make sure the ports listed below aren't following an obvious pattern," e.g. TXID numbers should be randomn without a fixed pattern. The impact of the flaw is being explained here: http://www.kb.cert.org/vuls/id/800113
To the second remark in your posting, I can state that I can see you are an American, because there Pitbull is a sugar free energy drink. You guessed it right, Here the variant that I drink at the moment, see picture below,
Damian
-
Also use OpenDNS like Bob has mentioned :)
Occasionally, I do know what I'm talking about. ;D ;D
-
To understand a little little little bit more;
http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/
-
My advice to readers is to visit the testing tool on Kaminsky's site. If the response is that your ISP is vulnerable, please post a note in the comments section saying so. If your ISP has not yet addressed this important flaw, please also consider protecting yourself using one of the following methods.
--Set up your system so that it uses the DNS resolvers provided by OpenDNS, an entity that provides a free service which routes all of you Web site queries through DNS servers that are not only patched against this flaw, but which can help you better spot phishing Web sites and prevent people on your network from visiting otherwise objectionable Web sites.
--Reconfigure your DNS settings to use servers that are known to be patched against this flaw. A few of those servers include 4.2.2.1, and 4.2.2.2. To do this in Windows, click Start, Control Panel, Network Connections, and double-click on the connection name that says it's already connected. From there, scroll down to the Internet Protocol setting, and click Properties. If it is not already checked, change the radio button to "Use the following DNS server addresses," and then type in 4.2.2.1 and 4.2.2.2 in the settings below. Click "OK" to finalize the settings. Note that you will only be permitted to make these changes if you are logged in to Windows using an administrator account.
http://blog.washingtonpost.com/securityfix/2008/07/the_web_just_became_a_much_mor.html (http://blog.washingtonpost.com/securityfix/2008/07/the_web_just_became_a_much_mor.html)
-
Hi malware fighters,
Another quick DNS check example : http://pingability.com/zoneinfo.jsp?domain=207.63.88.21
pol
-
Fine and normal on that test too Damian-how many more DNS tests you have up your sleeve ;)
Guess the OpenDNS is worth having ;D
(http://i38.tinypic.com/iqg9iq.gif)
-
Hi Dan,
Yes a reliable name server service is desirable to have. Consider the DNS code has been "broken" with intervals since the nineties of the previous century. Exploits of this reappears again and again, and they are lively dangerous because the nameserver service is so vital to let the thing we call the Internet function or go down "bunkers". A great deal of ISP;s haven't done their homework yet, there are several more exploits out there on the Internet, like hxxp://milw0rm.com/exploits/6123 & hxxp://milw0rm.com/exploits/6130, but Metasploit made it very easy for the malcreants by building the exploit ready into his Metasploit malware tool.
Another nice free program to inspect where it is going right or wrong is DnsEye.
Dns Eye is monitoring network traffic by capturing Domain Name System DNS packets in network and displays the host names resolve information. The program allows to monitor requested URLs in network, to open it in browser and save captured DNS name list in the file. The tool is designed with a user-friendly interface and is easy to use. Download from here: http://www.nsauditor.com/freeware/downloads/DnsEye.exe (nice to have on a USB drive, Enjoy!)
The point that I did not touch yet is, that even if your DNS nameservers are fully patched and random, the firewall/Nat you use can hamper the final outcome....
polonus
P.S. Read this: http://www.imsc.res.in/~kapil/blog/lg/dns_quickfix-2008-07-10-17-07.html
-
You might also find the following helpful:
http://www.microsoft.com/technet/security/advisory/956187.mspx (http://www.microsoft.com/technet/security/advisory/956187.mspx)
-
A security research outfit in Argentina has released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms.
The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.
The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice and Sun Java.
A demo video provides a scary look at how a sophisticated blended attack can be used to target millions of Windows users.
In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine:
http://blogs.zdnet.com/security/?p=1576 (http://blogs.zdnet.com/security/?p=1576)
-
Hi FwF,
A lot of people do not realize as yet how dangerous this is, because it is affecting the very underlying structures of the Internet, and can turn it unstable. Patching has almost become a race against the tide of malware and flaws that is rolling in, and the levee is about to break (thinking of the Led Zeppelin lyrics).
Patching is almost as important as updating signature files for your av engine. I have hardened the stkeys for the modem recently, hacking and remote control has become a matters of minutes now. Be afraid, my friend, be very afraid, Evilgrade can destroy us all - info on the tool:
http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf
pol
-
DNS attack writer a victim of his own creation:
http://www.macworld.com/article/134758/2008/07/dnsattack.html
-
Hi malware fighters,
As there are still a large amount of nameservers still unpatched, we like to know what the malcreants are able to do through the new DNS flaw: read here: http://securityblog.verizonbusiness.com/2008/07/25/dns-exploits-what-could-actually-happen/
OpenDNS and the linux DJBDNS at http://cr.yp.to/djbdns.html have been secure for months now.
polonus
-
Thanks for all the Good Info + Links in this Thread. I Installed Open DNS + ran Tests. I got Great, Great , Great.