Avatar

DNS records are an attractive target for distributors of malware. By compromising the DNS servers for legitimate domains, attackers are able to redirect visitors to trusted domains to malicious servers under attacker control. DNS requests are served from dedicated servers that may service many thousands of domains. Compromising these servers allows attackers to take over domains as a wholesale attack, serving malware from any domain that uses the DNS service.

During the early morning of Monday 5 August, three Dutch web hosting companies apparently had the details of their name servers altered [1][2]. The attackers appear to have accessed an account at SIDN, the Dutch national domain registrar, and changed the details of the companies’ name servers to servers under the control of the attackers [3]. This resulted in DNS requests for the domains managed by the hosting companies to point at a website with IP address 178.33.22.5. This website displayed an ‘under construction’ message with a hidden iframe that pointed visitors’ browsers to an exploit kit hosted at:

hxxp://cona.com/removal/stops-followed-forces.php

This kit attempts to exploit two vulnerabilities on the web browsers of visitors. A PDF related vulnerability, CVE-2010-0188, and a yet unidentified Java exploit [1]. If either of these exploits is successful, a second piece of malware is downloaded, disguised as an image file:

hxxp://www.champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg

This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.

Although the DNS records were only compromised for a few hours, 3.30 – 8 a.m. GMT on Monday 5 August, the attackers set the Time to Live (TTL) value for their malicious DNS entries to 24 hours [6]. This means that any ISP that cached the DNS response for one of the affected domains would respond with the malicious response for up to 24 hours after the initial malicious DNS change had been resolved.

We have recently discussed the dangers of hosting companies publishing incorrect DNS information as part of articles on DNS misconfiguration and denial of service (DoS) attacks against Network Solutions [4][5]. It is not impossible that this particular attack has been inspired by the disruption to DNS services at Network Solutions. The website of SIDN was previously breached to host malicious files in July, but there is no indication that this incident is related [7].

In any case, it is very difficult for end users to protect themselves against such attacks; however, it is not impossible. The attackers compromised high reputation websites and were careful to host their malware on high reputation websites. Equally, their browser exploits and second stage malware were poorly detected by antivirus software. Nevertheless, clients who had patched their PDF readers and disabled the execution of Java by web browsers were protected against being compromised.

Enterprises should consider blocking Tor traffic on their networks. Although such traffic is difficult to detect from other encrypted network traffic, Cisco solutions are able to identify the context of such traffic and block Tor connections. Blocking this traffic would prevent the malware from communicating with the command and control server, and receiving further instructions.

References

[1] “DNS takeover redirects thousands of websites to malware,” Fox IT blog, 5 August 2013.
DNS takeover redirects thousands of websites to malware
[2] “SIDN supports investigation into incident involving one of its registrars,” SIDN news release, 7 August 2013.
https://www.sidn.nl/en/news/news/article/sidn-ondersteunt-onderzoek-naar-incident-bij-een-van-haar-registrars-1/
[3] “Correction to media reporting of incident,” SIDN news release, 7 August 2013.
https://www.sidn.nl/en/news/news/article/correctie-berichtgeving-incident-in-de-media-1/
[4] “Network Solutions Customer Site Compromises and DDoS,” Cisco blog, 17 July 2013

Network Solutions Customer Site Compromises and DDoS


[5] “‘Hijacking’ of DNS Records from Network Solutions,” Cisco blog 20 June 2013

‘Hijacking’ of DNS Records from Network Solutions


[6] “Storing DNS servers,” Digitalus service update, 5 August 2013.
http://noc.digitalus.nl/dashboard/136/Storing-DNS-servers
[7] “Precautionary action taken to ensure security,” SIDN news release, 10 July 2013.
https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos