Handler on Duty: Renato Marinho
Threat Level: green
March 2005 DNS Poisoning Summary
compiled by Kyle Haugsness
######################################################################## ## ## DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2 ## ## (by Kyle Haugsness and the ISC Incident Handlers) ## ######################################################################## ######################################################################## ## Summary ######################################################################## Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began receiving reports from multiple sites about DNS cache poisoning attacks that were redirecting users to websites hosting malware. As the "Handler on Duty" for March 4, I began investigating the incident over the course of the following hours and days. This report is intended to provide useful details about this incident to the community. The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spwyare/adware, and a compromise of at least 5 UNIX webservers. We received information the attack may have started as early as Feb. 22, 2005 but probably only affected a small number of people. On March 24, we received reports of a different DNS cache poisoning attack. This attack did not appear to affect as many people. This will be referred to as the "second attack" in the remainder of this report. After monitoring the situation for several weeks now, it has become apparent that the attacker(s) are changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This attack morphed into a similar attack with different IP addresses that users were re-directed toward. This will be referred to as the third attack and is still ongoing as of April 1, 2005. Before proceeding, a note of thanks is in order for all the people that have submitted reports to us, helped us investigate further, and provided us logs or data. The Internet Storm Center is a volunteer effort and the better information that we receive from the community, the better analysis we can perform and contribute back to the community. Contents: 1. How can others help? 2. How do I recover from a DNS cache poisoning attack? 3. What software is vulnerable? 4. I am a dial-up/DSL/cable modem user -- am I vulnerable? 5. Where can I test my site to see if I am vulnerable? 6. What exactly is DNS cache poisoning? 7. What was the motivation for this type of attack? 8. Weren't DNS cache poisoning attacks squashed around 8 years ago? 9. What was the trigger for the attack? 10. How exactly did this DNS cache poisoning attack work? 11. What domain names were being hijacked? 12. What were the victim sites? 13. What malware was placed on my machine if I visited the evil servers? 14. Got packets? 15. Got snort? ######################################################################## ## How can others help? ######################################################################## We are still seeking assistance from the community. You can help out by providing the following data: 1. We still would like reports of active cache poisoning. When reporting, please include the DNS server software in use and whether you have forwarders in place. A good description would be "Windows 2000 server (with registry key to secure cache against polution) forwarding to a BIND 8.4.6 server in a DMZ that is not forwarding to any other upstream server". Try to include packet captures of all UDP port 53 traffic after you have been poisoned. Also, try to send us a copy of your current DNS cache (see next two paragraphs). There doesn't seem to be a method to export the running DNS cache on any of the Windows platforms. The only possibile option would be to put the DNS server in debug mode and then dig through the log files, which is not really a viable option. Some people have sent us screenshots of the DNS Manager/Console, which is probably the best option (unless somebody sends us a better method). On BIND you can export the current DNS cache that by running the "ndc" command (for BIND 8) or "rndc" (for BIND 9) on the server itself as root and then executing "dumpdb". This command will save the current memory cache to the directory specified in your named.conf file under the "directory" option; it is typically "/var/cache/bind". 2. Run the snort signatures at the end of this document and send us some of the alerts with the full packet trace. 3. If your sniffer is big enough, you can start logging all UDP port 53 traffic into/out of your site. Later, as we identify more malicious DNS servers, we may be asking for all DNS traffic to/from a specific IP address. So it would be helpful to have historical data to determine when a specific attack started and what poisoning method they used. If you do set this up, remember to rotate your captures so they don't consume all the disk space on your sniffer box. ######################################################################## ## How do I recover from a DNS cache poisoning attack? ######################################################################## 1. You need to be absolutely positive that you have not been infected with spyware. Many spyware/adware programs today will modify the DNS settings or local hosts file on Windows machines. So you should first run your favorite spyware/adware detection tool. 2. Try to find out the IP address(es) of the malicious DNS server(s) and check our website to determine if this IP address has been reported. If the IP has not been reported, drop us a quick note at the following URL: http://isc.sans.org/contact.php 3. You may want to block the IP address(es) of the malicious DNS server(s) at your border routers/firewalls so that your so that your cache does not become poisoned again. 4. Cleaning up from a site-wide DNS cache poisoning may require flushing the cache on all of your DNS servers in your organization probably starting with the most externally facing DNS boxes first. 5. On Windows DNS servers, you can stop/start the DNS service to clear the cache. You can also use the dnscmd.exe command from the Resource Kit: dnscmd.exe /ClearCache 6. On Windows 2000, XP, and 2003 clients, you can flush the client cache by running "ipconfig /flushdns". (Please note that this will do nothing to clean-up a poisoned DNS caching server upstream.) 7. On BIND 9, you can clear the cache by running "rndc" command and executing the "flush" command. On BIND 8 or below, it appears that you have to restart the server. ######################################################################## ## What software is vulnerable? ######################################################################## We have confirmation that the following software products are vulnerable: 1. Windows NT4 and 2000 DNS servers. The default configuration of the DNS server on Windows NT 4 and 2000 IS INSECURE against DNS cache poisoning attacks. By default, the DNS server does NOT protect you against DNS cache poisoning. If you run a resolving nameserver on Windows NT 4 or Windows 2000 (2003 is configured securely by default), you are HIGHLY ADVISED to follow the instructions here to protect yourself from these attacks: http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 2. Symantec gateway products. There was a confirmed bug that allowed DNS cache poisoning in various Symantec products. A patch was released on March 15, 2005 for the following products: Symantec Gateway Security 5400 Series, v2.x Symantec Gateway Security 5300 Series, v1.0 Symantec Enterprise Firewall, v7.0.x (Windows and Solaris) Symantec Enterprise Firewall v8.0 (Windows and Solaris) Symantec VelociRaptor, Model 1100/1200/1300 v1.5 The vulnerability information can be found at the following two URLs: http://securityresponse.symantec.com/avcenter/security/ Content/2005.03.15.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0817 This bug was in addition to a previous bug on the same product set that was fixed on June 21, 2004: http://securityresponse.symantec.com/avcenter/security/ Content/2004.06.21.html We have received reports that Windows 2003 and NT4/2000 (with the proper registry key settings) are still vulnerable. We are currently working with Microsoft to determine whether there is a bug or architectural problem in their DNS software. Possible theory #1: Windows DNS servers that forward to BIND nameservers do not ignore the additional authority records in the DNS replies. In this scenario, we think that the "secure cache against poisoning" registry keys are just being ignored. Possible theory #2: The malicious DNS server is currently responding with .COM entries that have a TTL of 99,999 seconds which is 1 day, 3 hours, 46 minutes, 39 seconds. Perhaps there is a bug where the DNS server looks at the TTL value it received and realizes that it is greater than the TTL value for .COM in its cache, so it overrides the value in cache with the new value? Additionally, we have received reliable reports from sites that were poisoned by this attack altough they were running BIND entirely. By default, the various UNIX-based DNS servers are not vulnerable to this attack. However, it may be possible to make them insecure through poor configuration choices. If you have any doubt, test it yourself following the instructions below. ######################################################################## ## I am a dial-up/DSL/cable modem user -- am I vulnerable? ######################################################################## Most likely, no. The major ISPs typically run UNIX-based DNS resolvers which are not currently vulnerable. However, there are some ISPs running Windows NT4 or 2000 resolvers and may not have secured their DNS resolvers. You can test it yourself in the next section. ######################################################################## ## Where can I test my site to see if I am vulnerable? ######################################################################## In order to build a "test myself" site, we developed a tool that can attempt to poison the .COM cache (or any other domain). Unfortunately, there is no subtle way to deploy this in a testing mode. The danger is that an end-user at a company or ISP runs the test and if the test is successful, the cache poisoning will affect all users at that organization or ISP. We will try to get this worked out and develop a test methodology that is less intrusive. And don't ask us for the proof-of-concept tool. We are not distributing it to anyone at this time. ######################################################################## ## What exactly is DNS cache poisoning? ######################################################################## Basically, it is method for an attacker to change the IP address that a hostname resolves to. For instance the hostname www.cisco.com points to the IP address 198.133.219.25. A DNS cache poisoning attack allows an attacker to change the IP address for a host/domain and point it to a different IP address. If the above paragraph didn't make any sense, then take a step back and understand that DNS (Domain Name System) is the method by which you can resolve a human name like www.google.com into an IP address. An IP address is a computer's unique location on the Internet. For a very good explanation of how the global DNS system works, refer to this article: http://computer.howstuffworks.com/dns.htm/printable Second, you must understand that most end-users on the Internet use a DNS server that is close to them (at their ISP or within their organization's firewalls) to lookup names for them. For performance reasons, these DNS servers cache the returned data so that it takes less time to respond to the next client. If there is a vulnerability or misconfiguration in the software on these DNS servers, then the cache poisoning attack is possible. When a victim DNS cache is poisoned, the attacker will be affecting ALL future lookups of any domain name he chooses for ALL users of that DNS server. Large ISPs may have thousands of users referencing a single DNS resolver. So an attack against a resolver could affect thousands of users, without those users having done anything wrong. Here is how the attack works. First, there needs to be a trigger that forces the victim site's DNS server to query the evil DNS server. There are several ways to accomplish this. A couple of easy methods are e-mail to a non-existant user (which will generate an NDR to the source domain), spam e-mail with an external image, banner ads served from another site, or perhaps triggering it from a bot network or installed base of spyware. Once the trigger executes, the victim's site DNS server queries the evil DNS server. The attacker includes extra information in the DNS reply packet. In both attacks, the reply packets contained root entries for the entire .COM domain. If your DNS server is not configured properly, then it will accept the new entries for .COM and delete the proper entries for the Verisign servers (who runs the .COM domain). Once this has occurred, any future queries that your DNS server makes for .COM addresses will go to the malicious DNS server. The server can give you any address it wants. In this attack, any hostname that you request is returned with a couple of IP addresses that are running a webserver and attempting to exploit client-side bugs in Internet Explorer to install spyware. It is important to note that this attack could be used to hijack other domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA or .DE. The attacker could hijack all of them. A smart attacker would potentially just hijack specific hostnames and then return the correct information for all other queries. This type of attack would not be as noticeable and could potentially be very dangerous. ######################################################################## ## What was the motivation for this type of attack? ######################################################################## The motivation for these attacks is very simple: money. The end goal of the first attack was to install spyware/adware on as many Windows machines as possible. A good spyware/adware program can generate significant revenue for the attacker. There is an excellent write-up by the folks at LURHQ that describes the pay-per-click (PPC) advertising scheme that is likely behind the first/third attacks: http://www.lurhq.com/ppc-hijack.html. The second attack seems to have been launched by a known spammer. But this is quite a complicated attack for a spammer, so my current theory is that the attacker(s) are contracting their services for hire. The motivation for our detailed analyis was because of the DNS cache poisoning attack, which has the potential for affecting millions of Internet users and enabling some very dangerous attacks. After receiving a couple of reliable reports, it became clear to us that we needed to get to the very bottom of this attack. ######################################################################## ## Weren't DNS cache poisoning attacks squashed around 8 years ago? ######################################################################## Taking a trip down memory lane... Cache poisoning has been around for a very long time. There have been unfortunate bugs in BIND and there have been design flaws. The DJB fans will note that djbdns has been secure against cache poisoning for a long time, too. Basically, the UNIX-based stuff has been secure against cache poisoning for quite some time, but there may always be a bug or design flaw that is discovered. We are not quite sure why Microsoft left a default configuration to be unsecure in NT4 and 2000. (Exercise to reader: insert Microsoft security comment/opinion/joke here, but keep it to yourself). ######################################################################## ## What was the trigger for the attack? ######################################################################## We haven't been able to isolate the exact trigger for either attack. There are several methods to trigger a DNS lookup to a malicious DNS server. There are so many methods to do so, that it doesn't really matter. It can be accomplished easily, so instead of focusing on the trigger, security/system administrators should focus on securing their DNS software. ######################################################################## ## How exactly did this DNS cache poisoning attack work? ######################################################################## During the first attack (around Feb 22 to Mar 12, 2005), victims were being re-directed to one of 3 servers: 217.160.169.87, 207.44.240.79, 216.127.88.131. The domain names for these servers were: www.7sir7.com, 123xxl.com, and abx4.com. These domain names were purchased just prior to the attack being launched. All of the IP addresses above were UNIX machines at colocation/web-hosting companies that were compromised. Most people observed the re-direction because their web-surfing was obviously affected. But we also received reports of e-mails getting bounced and subsequent investigation of log files from those machines indicated that FTP logins, IMAP/POP logins, and SSH traffic was being re-directed also. The attacker had uploaded to the compromised UNIX machines two client-side exploits for Internet Explorer. So when users were re-directed to those servers, the exploit would be launched and if successful, the victim would be infected with a spyware program. During the second attack (March 25), there were two malicious DNS servers that were re-directing people. The malicious DNS servers were 222.47.183.18 and 222.47.122.203. These DNS servers were re-directing people to themselves, where a website selling popular prescription medication was found. These webservers did not host any malicious content. Instead, this was more the work of a spammer. Future investigation into the IP addresses and domain names registered to those IP addresses indicate that these servers are probably owned by a spammer with over 300 domain names registered. It should be noted that the website advertised indicated "megapowerpills.com", however there is a real website with that name that is operated on a different IP address. The third attack is really a continuation of the first attack (March 25 - April 1, 2005), with the same goal of installing a spyware program. One of the machines from the first attack (216.127.88.131) was never cleaned-up properly and the attacker came back and changed the poisoning tool. This time, the DNS server gave out the following IP addresses: 209.123.63.168, 64.21.61.5, 205.162.201.11. All of these servers hosted the same simple webpage, which redirected people to the following URLs (which we have neutered): vparivalka .org /G7 /anticheatsys.php?id=36381 find-it .web-search .la ######################################################################## ## What domain names were being hijacked? ######################################################################## We received some logs from two of the machines that were used to launch the initial attack observed on March 4. Remember, that those machines were compromised. The log files from those machines indicate the following statistics over a 3 day period (Mar 2 - 5): o 1,304 domain names were poisoned/hijacked o 7,973,953 HTTP get attempts from 966 unique IP addresses. o 75,529 incoming email messages from 1,863 different mailservers. o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts). o 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses). o 2,027 attempted logins to 82 different webmail (HTTP) servers. Also during the activity on March 4, 2005, a security administrator who noticed the attack, exported a copy of his DNS cache, and sent it to us. For his site, there were 665 hostnames that were poisoned in his DNS cache. Since the .COM entry was poisoned, any future queries for any domain name ending in .COM would have re-directed his users to the hostile servers. I analyzed his cache dump to produce the list of poisoned domain names below. The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory. Please note that the below list is not a list of organizations that had their DNS cache's poisoned. These organizations were not compromised, although it is possible that customers of these sites unknowingly gave out login information or personal information to the malicious servers. Final disclaimer, this is just a short list of domain names that were poisoned at a single site. Any domain name could have been poisoned. Financial Services ------------------ americanexpress.com (credit cards) citicards.com (credit cards) billpay.quickbooks.com (financial software/services) adp.com (data processing) hrblockemail.com (financial services) Corporate Presence ------------------ dhl-usa.com (global shipping) fedex.com (global shipping) walmart.com (retail) samsclub.com (retail) kraftfoods.com (food products) averydennison.com (paper products, labels) ppg.com (worlwide commercial products) nortelnetworks.com (telecommunications) potterybarn.com (retail) weightwatchers.com (retail) dressbarn.com (retail) moviefone.com (online movie listings/purchase) nascar.com (car racing) officemax.com (retail office supplies) verizonwireless.com (wireless telephone service) qvc.com (retail) Media/Entertainment/News ------------------- cnn.com nbc.com abc.com fox.com foxnews.com espn.com yahoofs.com starwave.com (part of go.com) hotjobs.com (job search) chicagotribune.com tribune.com suntimes.com wgnradio.com businessweek.com wired.com randomhouse.com imdb.com (online music database) napster.com (online music) musicmatch.com (online music) allofmp3.com (online music) audible.com (online music) modblog.com (mobile blogging site) entertainment.com courttv.com Hardware/Software ----------------- trendmicro.com (anti-virus) redhat.com (linux vendor) msoffice.com microsoftoffice.com officeupdate.com giantcompany.com (microsoft's new anti-spyware) autodesk.com (AutoCAD) realone.com realplayer.com emc.com (enterprise storage) creative.com (consumer electronics) lavasoftusa.com (personal firewalls) tomshardware.com (pc hardware) ISP/Hosting/Search ------------------ msn.com compuserve.com realpages.com geocities.com hotbot.com switchboard.com cleanmail.com webex.com catalog.com about.com Health Industry --------------- webmd.com (online medical advice) lilly.com (pharmaceuticals) questdiagnostics.com (medical testing) Travel ------ orbitz.com sabre.com tickets.com ######################################################################## ## What were the victim sites? ######################################################################## Unless we receive very explicit approval to publish a victim's name, we do not publish their name. Instead, we offer some very generic information. Based on the number of e-mails that we received and by looking at the log files from the compromised servers, I would conservatively estimate that 500-1000 medium-to-large size organizations were affected by these attacks. There were about 10 organizations that contacted us that have over 1,000 employees. These organizations are from different sectors of the economy (banking, manufacturing, insurance, telecommunications). Interestingly, most of the victims appear to be in North or South America. ######################################################################## ## What malware was placed on my machine if I visited the evil servers? ######################################################################## The webservers in the first/third attack tried to drop a spyware program onto the victim's computer using a Microsoft Internet Explorer vulnerability for ANI cursor handling. The vulnerability was released on January 11, 2005 and further technical information can be found here: http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx Proof of concept exploit code was publicly released soon after the vulnerability was announced. The filenames being used in this attack were: abx.ani and abx22.ani. Using VirusTotal, these ANI files were detected as: Kaspersky: Trojan-Downloader.Win32.Ani.d McAfee: Exploit-ANIfile BitDefender: Exploit.Win32.MS05-002.Gen The ANI exploit attempted to download one of the following two executable files (same exact file) on the webserver: abx_search.exe or mhh.exe. These binaries were detected as: Kaspersky: AdWare.ToolBar.SearchIt.h Panda: Adware/AbxSearch If you were infected by this toolbar, you should run your favorite spyware/adware program to identify and clean it from your computer. ######################################################################## ## Got packets? ######################################################################## Here are packet captures from each attack that shows the DNS reply packets from the malicious DNS servers. The captures are decoded with tethereal and hex output is at the end of each packet. Notice that the second packet of each capture includes and additional RR for "com". This is the trigger for overwriting the normal "com" entries that are the official 13 root nameservers. The first packet capture was taken several days after the March 4 attack. It shows that the attacker has modified the address that is returned for any query. In this capture, I query for www.cisco.com and the malicious DNS server returns 209.135.140.198 which is definitely not the right answer (it should be 198.133.219.25). Frame 1 (2 on wire, 2 captured) Packet Length: 73 bytes Capture Length: 73 bytes Ethernet II Destination:Source: Type: IP (0x0800) Internet Protocol, Src Addr: 10.11.12.13 (10.11.12.13), Dst Addr: 216.127.88.131 (216.127.88.131) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 59 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0xf397 (correct) Source: 10.11.12.13 (10.11.12.13) Destination: 216.127.88.131 (216.127.88.131) User Datagram Protocol, Src Port: 34899 (34899), Dst Port: 53 (53) Source port: 34899 (34899) Destination port: 53 (53) Length: 39 Checksum: 0x9801 (correct) Domain Name System (query) Transaction ID: 0xd4f5 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries www.cisco.com: type A, class inet Name: www.cisco.com Type: Host address Class: inet 0x0000 4500 003b 0000 4000 4011 f397 0a0b 0c0d E..;..@.@....... 0x0010 d87f 5883 8853 0035 0027 9801 d4f5 0100 ..X..S.5.'...... 0x0020 0001 0000 0000 0000 0377 7777 0563 6973 .........www.cis 0x0030 636f 0363 6f6d 0000 0100 01 co.com..... Frame 2 (2 on wire, 2 captured) Frame Number: 2 Packet Length: 119 bytes Capture Length: 119 bytes Ethernet II Destination: Source: Type: IP (0x0800) Internet Protocol, Src Addr: 216.127.88.131 (216.127.88.131), Dst Addr: 10.11.12.13 (10.11.12.13) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 105 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 51 Protocol: UDP (0x11) Header checksum: 0x006a (correct) Source: 216.127.88.131 (216.127.88.131) Destination: 10.11.12.13 (10.11.12.13) User Datagram Protocol, Src Port: 53 (53), Dst Port: 34899 (34899) Source port: 53 (53) Destination port: 34899 (34899) Length: 85 Checksum: 0x036c (correct) Domain Name System (response) Transaction ID: 0xd4f5 Flags: 0x8580 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 1 Additional RRs: 0 Queries www.cisco.com: type A, class inet Name: www.cisco.com Type: Host address Class: inet Answers www.cisco.com: type A, class inet, addr 209.135.140.198 Name: www.cisco.com Type: Host address Class: inet Time to live: 1 day, 3 hours, 46 minutes, 39 seconds Data length: 4 Addr: 209.135.140.198 Authoritative nameservers com: type NS, class inet, ns 3sistersmassage.com Name: com Type: Authoritative name server Class: inet Time to live: 1 day, 3 hours, 46 minutes, 39 seconds Data length: 18 Name server: 3sistersmassage.com 0x0000 4500 0069 0000 4000 3311 006a d87f 5883 E..i..@.3..j..X. 0x0010 0a0b 0c0d 0035 8853 0055 036c d4f5 8580 .....5.S.U.l.... 0x0020 0001 0001 0001 0000 0377 7777 0563 6973 .........www.cis 0x0030 636f 0363 6f6d 0000 0100 01c0 0c00 0100 co.com.......... 0x0040 0100 0186 9f00 04d1 878c c6c0 1600 0200 ................ 0x0050 0100 0186 9f00 120f 3373 6973 7465 7273 ........3sisters 0x0060 6d61 7373 6167 65c0 16 massage.. At the time of the packet capture - 3sistersmassge.com resolved to 216.127.88.131 which was the same server I was talking to. Below is a packet capture from the second attack. This one shows several hostnames (but the same IP address) being returned as the root nameserver for .com. For this capture, I'm just showing the response from a query to lookup an obscure domain name (www.leroysprings.com). In this case, the malicious DNS server returns 222.47.183.18 as the IP address and it returns the same IP as the root nameserver for .com. Frame 1 Packet Length: 260 bytes Capture Length: 260 bytes Ethernet II Destination: Source: Type: IP (0x0800) Internet Protocol, Src Addr: 222.47.183.18 (222.47.183.18), Dst Addr: 10.11.12.13 (10.11.12.13) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 246 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 50 Protocol: UDP (0x11) Header checksum: 0x9c9d (correct) Source: 222.47.183.18 (222.47.183.18) Destination: 10.11.12.13 (10.11.12.13) User Datagram Protocol, Src Port: 53 (53), Dst Port: 32792 (32792) Source port: 53 (53) Destination port: 32792 (32792) Length: 226 Checksum: 0xfa49 (correct) Domain Name System (response) Transaction ID: 0x5494 Flags: 0x8500 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 2 Authority RRs: 4 Additional RRs: 4 Queries www.leroysprings.com: type A, class inet Name: www.leroysprings.com Type: Host address Class: inet Answers www.leroysprings.com: type A, class inet, addr 222.47.183.18 Name: www.leroysprings.com Type: Host address Class: inet Time to live: 1 minute Data length: 4 Addr: 222.47.183.18 www.leroysprings.com: type A, class inet, addr 222.47.183.18 Name: www.leroysprings.com Type: Host address Class: inet Time to live: 1 minute Data length: 4 Addr: 222.47.183.18 Authoritative nameservers com: type NS, class inet, ns ns1.m-dns.us Name: com Type: Authoritative name server Class: inet Time to live: 1 minute Data length: 14 Name server: ns1.m-dns.us com: type NS, class inet, ns ns2.com Name: com Type: Authoritative name server Class: inet Time to live: 1 minute Data length: 6 Name server: ns2.com com: type NS, class inet, ns ns1.bizwebb.us Name: com Type: Authoritative name server Class: inet Time to live: 1 minute Data length: 14 Name server: ns1.bizwebb.us com: type NS, class inet, ns ns2.com Name: com Type: Authoritative name server Class: inet Time to live: 1 minute Data length: 2 Name server: ns2.com Additional records ns1.m-dns.us: type A, class inet, addr 222.47.183.18 Name: ns1.m-dns.us Type: Host address Class: inet Time to live: 1 minute Data length: 4 Addr: 222.47.183.18 ns2.com: type A, class inet, addr 222.47.183.18 Name: ns2.com Type: Host address 0x0000 4500 00f6 0000 4000 3211 9c9d de2f b712 E.....@.2..../.. 0x0010 0a0b 0c0d 0035 8018 00e2 fa49 5494 8500 .....5.....IT... 0x0020 0001 0002 0004 0004 0377 7777 0c6c 6572 .........www.ler 0x0030 6f79 7370 7269 6e67 7303 636f 6d00 0001 oysprings.com... 0x0040 0001 c00c 0001 0001 0000 003c 0004 de2f ...........<.../ 0x0050 b712 c00c 0001 0001 0000 003c 0004 de2f ...........<.../ 0x0060 b712 c01d 0002 0001 0000 003c 000e 036e ...........<...n 0x0070 7331 056d 2d64 6e73 0275 7300 c01d 0002 s1.m-dns.us..... 0x0080 0001 0000 003c 0006 036e 7332 c01d c01d .....<...ns2.... 0x0090 0002 0001 0000 003c 000e 036e 7331 0762 .......<...ns1.b 0x00a0 697a 7765 6262 c05c c01d 0002 0001 0000 izwebb.\........ 0x00b0 003c 0002 c06c c052 0001 0001 0000 003c .<...l.R.......< 0x00c0 0004 de2f b712 c06c 0001 0001 0000 003c .../...l.......< 0x00d0 0004 de2f b712 c06c 0001 0001 0000 003c .../...l.......< 0x00e0 0004 de2f b712 c07e 0001 0001 0000 003c .../...~.......< 0x00f0 0004 de2f b712 .../.. ######################################################################## ## Got snort? ######################################################################## The following Snort signature should catch poisoning for the .COM domain. New signatures will be posted to the ISC site as we test and refine them. Also check http://bleedingsnort.com/ for the latest signatures. alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison"; content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|"; content:"|00 02|"; distance:1; within:2; byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase; within:5; classtype:misc-attack; sid:1600; rev:3;)