News Release

How to smash the system

At first it was just a prank. Now hackers are corrupting the net for real, and their bogus sites could fool us all

Reports and Proceedings

New Scientist

COMPUTER criminals are coming up with ever stealthier ways to make money. Rather than attack PCs or email inboxes, their latest trick is to subvert the very infrastructure of the internet, the domain name system (DNS) that routes all net traffic.

In doing so, they redirect internet users to bogus websites, where visitors could have their passwords and credit details stolen, be forced to download malicious software, or be directed to links to pay-per-click adverts.

This kind of attack is called DNS cache poisoning or polluting. It was first done by pranksters in the early years of the internet, but it had limited impact and security patches eliminated the problem.

Now new loopholes have opened and poisoning appears to be back. This time experts can't be sure how much damage it might do. "We see the combination of DNS poisoning with other hostile actions as having a serious impact," says Swa Frantzen, a Belgium-based volunteer member of the SANS Internet Storm Center, a virtual organisation that monitors threats to the internet and has identified a recent spate of poisonings. In contrast, Joe Stewart of net security company Lurhq in Chicago, Illinois, who has documented the history of DNS poisonings, says there is no cause for alarm. "I think it's going to slowly die out," he says.

Poisoning is possible because of the way computers talk to each other to find internet addresses. The DNS is a global network of servers that, among other things, takes surfers to whatever websites they request. So for instance, if you are at work and you enter www.newscientist.com into a web browser, your PC will ask your company's DNS server to take it to the numeric Internet Protocol address that represents that domain name.

Your company's DNS server may know the IP address of the newscientist.com DNS server, but if it does not, it forwards the request to a DNS server of a local internet service provider. That ISP will know the newscientist.com address, or forward the request to a bigger ISP. This continues via a succession of computers until your PC discovers the location of the full IP address . The DNS is also designed to take short cuts. Once your DNS server has learned the location of www.newscientist.com, it stores it in a cache and routes directly to it. But herein lies the weakness of the system, because hackers can persuade some servers to cache "poisoned" information.

First they set up their own DNS server called, say, hacker.com. From here, they poison your company's DNS server by sending an email to a bogus email address at your company. This forces your company's server to exchange information with the hacker.com server, and that interaction gives the hacker a chance to insert a malicious code onto your company's server.

Stage two takes place when you next type www.newscientist.com into your browser. This time the hacker has instructed your company's server to send requests for this, and any other URLs they specify, to hacker.com. There the hacker has constructed a fake New Scientist web page; it looks identical, except the hacker gets to see any personal info you type in.

Replace New Scientist with your bank, and you can see how account holders could be conned into entering personal details and passwords onto a fake site without ever knowing.

Internet poisoning returned to the fore in early March, when DNS software provided by antivirus firm Symantec was found to have a bug that made poisoning possible. Weeks later, the SANS centre uncovered a second spate of poisonings, but this time it was due to a security loophole.

Most ISP servers run a free piece of DNS software called BIND, while most businesses' servers run Microsoft Windows DNS software. Both have been patched to stop hackers inserting bogus commands and poisoning cached information. However, the SANS centre says the loophole appears when a company couples servers together to increase the cache size. If one server runs an older version of BIND, such as BIND 4 or BIND 8, then it will forward on any poisoned information, and this will be accepted by recipient "child" servers running Microsoft. Companies can protect themselves by switching to BIND9, which will not accept or pass on poisoned information. But Gerhard Eschelbeck of the internet security company Qualys in Redwood Shores, California, says the problem may not be over. "I would not rule anything out. There are other creative ways that attackers can find to poison the DNS," he says. And poisoning is a much bigger deal than it was in the early days, because hackers can now use the technique to introduce "malware" onto servers and PCs, says Frantzen.

###

AUTHOR: CELESTE BIEVER

PLEASE MENTION NEW SCIENTIST AS THE SOURCE OF THIS STORY AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.newscientist.com

"This article is posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to www.newscientist.com is also required. The story below is the EXACT text used in New Scientist, therefore advance permission is required before any and every reproduction of each article in full. Please contact celia.thomas@rbi.co.uk. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."

THIS ARTICLE APPEARS IN NEW SCIENTIST MAGAZINE ISSUE: 23 APRIL 2005


Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.