abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev
- 1. Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware From router to end-user Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference
- 2. What is DNS?What is DNS? And why can it be abused?
- 3. What is DNS? DNS – Domain Name System DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devicesaddressing these devices worldwide DNS is a "phone book" for the Internet Examples: kaspersky.com -> 91.103.64.6 google.com -> 209.85.149.104
- 4. Why can DNS be abused? • Technical side • Open, distributed design • Lots of nodes • Everybody can start one • Usage of User Datagram Protocol (UDP) • Unreliable (no concept of acknowledgment, retransmission or timeout) • Not ordered (if two messages are sent to the same recipient, the order in which they arrive cannot be predicted)arrive cannot be predicted) • Human factor • Not well-qualified network administrators • Network security holes • Default hardware configurations • etc. • End-users themselves • The most easy object to abuse!
- 5. How can DNS be abused?How can DNS be abused? Real-world examples
- 6. How can DNS be abused? Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and malicious programs related to DNS.
- 7. Abusing DNS Simple example: changing user’s DNS settings using ‘hosts’ file That’s how normal ‘hosts’ file looks like And that’s an infected example
- 8. Abusing DNS Simple example: changing user’s DNS settings using relocated ‘hosts’ file That’s where ‘hosts’ file should be located But it can be relocated and infected And original ‘hosts’ file remains unchanged
- 9. Abusing DNS Simple example: changing user’s DNS settings using network registry settings That’s how ‘NameServer’ option should look like But it can be manually changed..But it can be manually changed.. And immediately updated
- 10. Abusing DNS More advanced example: Rorpian case • First of all, malware gets on user’s PC via removable media • Then, the magic begins • Malware configures user’s system as DHCP server and starts listening to the local network • If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8) • When a DHCP request from another computer arrives, malicious DHCP Malware infection from any visited resource! • When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one • If the attempt was successful, another computer’s DNS will be changed to malicious one • Which leads to..
- 11. Abusing DNS More high-level threat: hacking the routers • Main security issues • weak default passwords or no password change enforcement • insecure default configuration • firmware vulnerabilities & services implementation errors • lack of awareness
- 12. Abusing DNS How to hack million of routers? Overhyped? PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011 Not at all.
- 13. Abusing DNS Example: 2Wire case
- 14. Abusing DNS Example: D-Link & Tsunami case Malware goes even inside the router itself!Malware goes even inside the router itself!
- 15. Abusing DNS Examples: it’s only the beginning
- 16. Abusing DNS Even more high-level threat: hacking the DNS servers PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
- 17. Abusing DNS Last example: mysterious google-analytics.com case • Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google- analytics.com/ga.js • ga.js downloaded from google-analytics.com was clean • But when we got some file from users.. It was infected! It seems like something is wrong with the local DNS • First version redirects user to domain name quehduid.com, which wasn’t even registered! • But still, we received notifications about exploits downloaded using this domain • Analyzed tons of malware which could be connected to this case • Found nothing common to DNS poisoning/hijacking • But found some interesting geographic pattern between versions It seems like something is wrong with the local DNS in these countries, isn’t it?
- 19. Conclusions Summing it up • DNS can be is hijacked/poisoned on every layer of network organization structure • Users • Routers • DNS servers • DNS was not originally designed with security in mind • Thus has number of security issues• Thus has number of security issues • There are some technical things that can make it more secure • Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses • OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home' • Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries
- 20. Conclusions Summing it up • From user side, more things can be done • Again and again, strong passwords • Hardening default hardware settings • Systematic updates of both firmware and software • Remote control through VPN • From hardware vendors side • Unique default passwords for devices • Secure default settings (disable or limit remote access!) • Emphasis on firmware security • From security vendors side • Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.) • Inform user on possible security holes
- 21. Thank YouThank You Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference