The cat is out of the bag now.... DNS flaw published by mistake!

[polonus]

Hi Dan,

I agree with bob3160 and you that DNS is broken(ish) at the moment, and the exploit was already out in the open after Dan Bernstein published about the gigantic flaw Dan Kaminsky found. In IE you can set your browser to use reliable DNS name servers, you can even set the specific url to a specific domain name in your hosftile. OpenDNS can be a good option, never saw a hassle for people that used it.
But again folks, this affair is huge and hanging over us, because the actual exploit code is out on the web (CAU), also for the client side. Getting back to Dan Kaminsky's and his efforts. He was also able to convince Yahoo to publicly ditch an unpatchable system (BIND . Yahoo are the world’s biggest user of BIND 8 so this is a massive undertaking and highlights the seriousness of the issue.
Anyways all our webforum users have been alerted here to this issue, can check or ask their ISP to fully patch or implement a reliable DNS service themselves, you have no excuse anymore to delay..

polonus

[drhayden1]

thanks for the update and info damian as always
you know what that bottle is of

[polonus]

Hi Dan,

Well I think there is more to follow, OpenDNS sure is an option, one could also choose to use the Minnesota University DNS servers, anything below the latest Bind 9 is vulnerable, and cannot be used any longer. With the check on Dan Kaminsky's site, you can get a result like: "Your name server, at A.B.C.D., appears to be safe, but make sure the ports listed below aren't following an obvious pattern," e.g. TXID numbers should be randomn without a fixed pattern. The impact of the flaw is being explained here: http://www.kb.cert.org/vuls/id/800113


To the second remark in your posting, I can state that I can see you are an American, because there Pitbull is a sugar free energy drink. You guessed it right, Here the variant that I drink at the moment, see picture below,

Damian

[bob3160]

Also use OpenDNS like Bob has mentioned

Occasionally, I do know what I'm talking about. 

[sopadeajo]

To understand a little little little bit more;

http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/

[FreewheelinFrank]

My advice to readers is to visit the testing tool on Kaminsky's site. If the response is that your ISP is vulnerable, please post a note in the comments section saying so. If your ISP has not yet addressed this important flaw, please also consider protecting yourself using one of the following methods.

--Set up your system so that it uses the DNS resolvers provided by OpenDNS, an entity that provides a free service which routes all of you Web site queries through DNS servers that are not only patched against this flaw, but which can help you better spot phishing Web sites and prevent people on your network from visiting otherwise objectionable Web sites.

--Reconfigure your DNS settings to use servers that are known to be patched against this flaw. A few of those servers include 4.2.2.1, and 4.2.2.2. To do this in Windows, click Start, Control Panel, Network Connections, and double-click on the connection name that says it's already connected. From there, scroll down to the Internet Protocol setting, and click Properties. If it is not already checked, change the radio button to "Use the following DNS server addresses," and then type in 4.2.2.1 and 4.2.2.2 in the settings below. Click "OK" to finalize the settings. Note that you will only be permitted to make these changes if you are logged in to Windows using an administrator account.

http://blog.washingtonpost.com/securityfix/2008/07/the_web_just_became_a_much_mor.html

[polonus]

Hi malware fighters,

Another quick DNS check example : http://pingability.com/zoneinfo.jsp?domain=207.63.88.21

pol

[drhayden1]

Fine and normal on that test too Damian-how many more DNS tests you have up your sleeve
Guess the OpenDNS is worth having

[polonus]

Hi Dan,

Yes a reliable name server service is desirable to have. Consider the DNS code has been "broken" with intervals since the nineties of the previous century. Exploits of this reappears again and again, and they are lively dangerous because the nameserver service is so vital to let the thing we call the Internet function or go down "bunkers". A great deal of ISP;s haven't done their homework yet, there are several more exploits out there on the Internet, like hxxp://milw0rm.com/exploits/6123 & hxxp://milw0rm.com/exploits/6130, but Metasploit made it very easy for the malcreants by building the exploit ready into his Metasploit malware tool.
Another nice free program to inspect where it is going right or wrong is DnsEye.     

Dns Eye is monitoring network traffic by capturing Domain Name System DNS packets in network and displays the host names resolve information. The program allows to monitor requested URLs in network, to open it in browser and save captured DNS name list in the file. The tool is designed with a user-friendly interface and is easy to use. Download from here: http://www.nsauditor.com/freeware/downloads/DnsEye.exe  (nice to have on a USB drive, Enjoy!)

The point that I did not touch yet is, that even if your DNS nameservers are fully patched and random, the firewall/Nat you use can hamper the final outcome....

polonus

P.S. Read this: http://www.imsc.res.in/~kapil/blog/lg/dns_quickfix-2008-07-10-17-07.html

[bob3160]

You might also find the following helpful:
http://www.microsoft.com/technet/security/advisory/956187.mspx

[FreewheelinFrank]

A security research outfit in Argentina has released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms.

The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice and Sun Java.

A demo video provides a scary look at how a sophisticated blended attack can be used to target millions of Windows users.

In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine:

http://blogs.zdnet.com/security/?p=1576

[polonus]

Hi FwF,

A lot of people do not realize as yet how dangerous this is, because it is affecting the very underlying structures of the Internet, and can turn it unstable. Patching has almost become a race against the tide of malware and flaws that is rolling in, and the levee is about to break (thinking of the Led Zeppelin lyrics).
Patching is almost as important as updating signature files for your av engine. I have hardened the stkeys for the modem recently, hacking and remote control has become a matters of minutes now. Be afraid, my friend, be very afraid, Evilgrade can destroy us all - info on the tool:
http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf

pol

[.: Mac :.]

DNS attack writer a victim of his own creation:
http://www.macworld.com/article/134758/2008/07/dnsattack.html

[polonus]

Hi malware fighters,

As there are still a large amount of nameservers still unpatched, we like to know what the malcreants are able to do through the new DNS flaw: read here: http://securityblog.verizonbusiness.com/2008/07/25/dns-exploits-what-could-actually-happen/

OpenDNS and the linux DJBDNS at http://cr.yp.to/djbdns.html have been secure for months now.

polonus

[BILL G]

     Thanks for all the Good Info + Links in this Thread. I Installed Open DNS + ran Tests. I got Great, Great , Great.