EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.24.09

DNS Suspended by Microsoft Windows Botnets

Posted in Microsoft, Security, Servers, Windows at 12:37 pm by Dr. Roy Schestowitz

Warpath of Web destruction

TWO DAYS ago I was unable to use the Internet properly. This network’s DNS servers came under massive attack at a time when hundreds of millions of Windows zombies ran rampant. It’s neither a new problem [1, 2] nor does affect just the network that I’m on. There are similar complaints and status reports out there on the Web right now.

Potential Latency on Network Solutions DNS

There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries

—————-

There may be some latency on Network Solutions DNS Severs and some queries may be timing out. This may include instances when someone types a domain name into a browser and the website will temporarily not resolve. Network Solutions Operations is working on optimizing the DNS queries and investigating the issue.

There is nothing that prevents a determined cracker (or a gang of them) from taking down DNS globally [18, 19], especially given Windows botnets of biblical proportions . This almost happened 2 years ago and there are still no effective defenses in place. The same goes for the scale of botnets — a solution to which Microsoft cannot deliver.

“Microsoft slammed over security advice

US COMPUTER Emergency Readiness Team (US-CERT) has warned that Microsoft’s advice about how to beat the Downadup worm is flawed.

And things are getting worse before they get better.

A security expert has managed to transfer the digital signature of one Windows program to another, without invalidating the signature. Didier Stevens, who presented the attack in his blog, exploited the fact that Microsoft’s Authenticode code signing standard accepts the vulnerable MD5 hash algorithm. Stevens used this to generate two programs which have identical code signatures, but behave differently.

How long can this chaos [1, 2, 3] go on for? Many related news (2006-2008, re: DNS) are added as references below.

Airplane crash
What if aircrafts accepted Microsoft quality control?

_____
[1] Open source DNS server takes on BIND

Four companies led by Dutch non-profit NLnet Labs have launched an open source, Linux-compatible DNS (Domain Name System) server. “Unbound,” which is also sponsored by VeriSign, Nominet, and Kirei, claims to offer a validating, recursive, and caching DNS server that is faster than the open source DNS mainstay BIND.

[2] VeriSign Takes Aim at Open Source DNS

Now VeriSign, the company that runs that .com and .net domains, is aiming to provide an open source alternative to BIND, called Unbound.

[3] SocialDNS: Free Domains for a Free Internet

John Sullivan (FSF) invited me to present in this mailing list the SocialDNS project (http://www.socialdns.net).
I am very interested in obtaining feedback from the GNU community because we want to submit our project to the Free Software Directory soon.

[4] DNS Patches Slow Servers, but Fast Action Is Advised

Microsoft issued a mea culpa about its DNS update on July 17, saying that the patch was crippling some machines running its Windows Small Business Server suite. Then, on July 25, it said the patch could also affect some network services on systems running Windows Server 2008, Windows Server 2003 and Windows 2000. In both instances, Microsoft detailed work-arounds.

[5] DNS poisoners hijack typo domains

People arrive at these pages when the domain name they request is unavailable, because, for example, they mistyped the URL. ISPs use this redirection method, known as Typosquatting, to advertise free domains or competing products. In the present case, however, clients don’t arrive on the Typosquatter pages, but on pages with a crafted trojan.

[6] Microsoft DNS fix causes trouble for some

The Microsoft Corp. released a DNS fix in its patch slate for July, but the company seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.

So far, since Microsoft’s DNS fix was issued on July 10, there have been two separate problems associated with its installation.

[7] H D Moore has NOT been owned

From the “half truths that journo’s tell” file:

I’ve been following the Kaminsky DNS cache exploit issue closely since it was first announced – and no doubt so has everyone else in the security business. As such I was surprised to read a headline this morning that said that Metasploit founder H D Moore (and yes Virginia, there is a Santa Claus and I run Metasploit on a test machine too – who doesn’t?) had been ‘owned’ (should’ve been p’wned I think) by the DNS flaw.

The story is not true – at least according to H D Moore who claims he was misquoted by the journalist in question.

“In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T’s DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems,” H D Moore wrote in a blog post. “Shortly after our conversation, Mr. McMillan published an article with a sensationalist title, that while containing most of the facts, attributed a quote to me that I simply did not say. Specifically, `”It’s funny,” he said. “I got owned.”

[8] SUBJECT: Microsoft SWI blog inaccuracies

As you know, 3 weeks ago I published my paper, “Microsoft Windows DNS Stub Resolver Cache Poisoning” (http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf),

simultaneously with Microsoft’s release of MS08-020 (http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx). A day later, Microsoft’s Secure Windows Initiative (SWI) team published their blog entry for MS08- 020 (http://blogs.technet.com/swi/archive/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id.aspx).

Unfortunately, the SWI blog entry contains two serious mistakes. The first mistake is an inaccurate description of the PRNG used for the Microsoft Windows DNS client transaction ID. The second mistake is SWI’s claim that “attackers cannot predict a guaranteed, known-next TXID exactly even with this weakness”.

I contacted Microsoft about those mistakes, and while Microsoft did not refute my statements, they also refused to revise the blog entry. On one hand, I am inclined to tag this as a simple unwillingness on the side of the vendor to revise its materials and admit its mistakes. On the other hand, I cannot ignore the fact that the two mistakes, when combined, result in misleading the blog reader about the nature and the severity of the problem.

[...]

This is in stark contrast to SWI’s claims. Furthermore, Microsoft did have the full paper (actually, a draft of it which contains all the relevant technical information) well before the SWI blog was published. So the problem here is not an issue of SWI not having access to the paper when they wrote their blog entry.

[9] Microsoft preps 133 patches for Windows DNS hole

Microsoft is working on 133 separate updates for the problem, Budd wrote.

[10] Microsoft DNS Server Attacks Continue

The concept enables malicious users to run code remotely under the system privileges generally granted to the DNS service itself.

[11] Microsoft: Patch for critical DNS flaw may be ready by 8 May

The cmopany has been under pressure to address the flaw, reported last week, since software that exploits it has now been widely disseminated, and criminals are beginning to use it in attacks.

[12] Attack code raises Windows DNS zero-day risk

At least four exploits for the vulnerability in the Windows domain name system, or DNS, service were published on the Internet over the weekend, Symantec said in an alert Monday.

[13] Cybercrooks exploiting new Windows DNS flaw

Cybercrooks are using a yet-to-be-patched security flaw in certain Windows versions to attack computers running the operating systems, Microsoft warned late Thursday.

[14] Microsoft’s advisories giving clues to hackers

How’s this for a new twist on the old responsible disclosure debate: Hackers are taking advantage of information released in Microsoft’s pre-patch security advisories to create exploits for zero-day vulnerabilities.

[15] DNS security improves as firms tool up to tackle spam

Infoblox’s survey found that the number of internet-facing DNS servers increased from 9m in 2006 to 11.5m in 2007, indicative of the overall growth of the internet. Percentage usage of the most recent and secure version of open-source domain name server software – BIND 9 – increased from 61 per cent to 65 per cent over the last year. Use of BIND 8, by contrast, dropped from 14 per cent in 2006 to 5.6 per cent this year. Usage of the Microsoft DNS Server on web-facing systems also fell, decreasing to to 2.7 per cent in 2007 from five per cent last year.

[16] Use of rogue DNS servers on rise

The paper estimates roughly 68,000 servers on the Internet are returning malicious Domain Name System results, which means people with compromised computers are sometimes being directed to the wrong Web sites — and often have no idea.

[17] New shield foiled Internet backbone attack

ICANN has yet to determine the exact techniques used in the February attack. The incident will be discussed at a meeting of DNS root server operators later this month, the organization said.

[18] Zombie botnets attack global DNS servers

Hackers launched a sustained attack last night against key root servers which form the backbone of the internet.

Security firm Sophos said that botnets of zombie PCs bombarded the internet’s domain name system (DNS) servers with traffic.

“These zombie computers could have brought the web to its knees,” said Graham Cluley, senior technology consultant at Sophos.

[19] EveryDNS, OpenDNS Under Botnet DDoS Attack

The last time the Web mob (spammers and phishers using botnets) decided to go after a security service, Blue Security was forced to fold and collateral damage extended to several businesses, including Six Apart.

[20] Homeland Security sees cyberthreats on the rise

To test the nation’s response to a cyberattack, the Department of Homeland Security plans to hold another major exercise, called Cyberstorm II, in March 2008, Garcia said. A first such exercise happened early last year.

[21] Perspective: Microsoft security–no more second chances?

As if Homeland Security Secretary Michael Chertoff didn’t have enough on his plate.

Not only has he had to deal with Katrina and Osama. Now he’s also got to whip Steve Ballmer and the crew at Microsoft into shape. If past is prologue, that last task may be the most daunting of all.

[22] U.S. cyber counterattack: Bomb ‘em one way or the other

If the United States found itself under a major cyberattack aimed at undermining the natio’s critical information infrastructure, the Department of Defense is prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source.

[23] US plans for cyber attack revealed

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

2 Comments

  1. Needs Sunlight said,

    January 24, 2009 at 12:50 pm

    Gravatar

    Dumping laws apply on the land. Why not also on the net?

    Want to run Windows? Ok, that’s your right. Want to plug your Windows box to the next? Bzzzt. First time, misdemeanor + fee. Second time, misdemeanor + community service + bigger fee. Third and subsequent times, misdemeanor + hefty fine + confiscation of all electronic equipment (TV, phone, vcr, camera, computer, etc.)

  2. DOUGman said,

    January 24, 2009 at 4:21 pm

    Gravatar

    Your laws seem extreme, but lets face facts. People must realize that they are responsible for their actions. When you learn to drive a car, you get educated for its use. Rough analogy, I know but you get the point.

    Education for computer use is KEY.

    D.

What Else is New


  1. Links 23/4/2018: Second RC of Linux 4.17 and First RC of Mesa 18.1

    Links for the day



  2. The Good Work of the Patent Trial and Appeal Board (PTAB) and the Latest Attempts to Undermine It

    A week's roundup of news about PTAB, which is eliminating many bad (wrongly-granted) patents and is therefore becoming "enemy number one" to those who got accustomed to blackmailing real (productive) firms with their questionable patents



  3. District Courts' Patent Cases, Including the Eastern District of Texas (EDTX/TXED), in a Nutshell

    A roundup of patent cases in 'low courts' of the United States, where patents are being reasoned about or objected to while patent law firms make a lot of money



  4. The Federal Circuit's (CAFC) Decisions Are Being Twisted by Patent Propaganda Sites Which Merely Cherry-Pick Cases With Outcomes That Suit Them

    The Court of Appeals for the Federal Circuit (CAFC) continues to reject the vast majority of software patents, citing Section 101 in many such cases, but the likes of Managing IP, Patently-O, IAM and Watchtroll only selectively cover such cases (instead they’re ‘pulling a Berkheimer’ or some similar name-dropping)



  5. Patents Roundup: Metaswitch, GENBAND, Susman, Cisco, Konami, High 5 Games, HTC, and Nintendo

    A look at existing legal actions, the application of 35 U.S.C. § 101, and questionable patents that are being pursued on software (algorithms or "software infrastructure")



  6. In Maxon v Funai the High 'Patent Court' (CAFC) Reaffirms Disdain for Software Patents, Which Are Nowadays Harder to Get and Then Defend

    With the wealth of decisions from the Court of Appeals for the Federal Circuit (CAFC) wherein software patents get discarded (Funai being the latest example), the public needs to ask itself whether patent law firms are honest when they make claims about resurgence of software patents by 'pulling a Berkheimer' or coming up with terms like “Berkheimer Effect”



  7. Today's European Patent Office Works for Patent Extremists and for Team UPC Rather Than for Europe or for Innovation

    The International Association for the Protection of Intellectual Property (AIPPI) and other patent maximalists who have nothing to do with Europe, helped by a malicious and rather clueless politician called Benoît Battistelli, are turning the EPO into a patent-printing machine rather than an examination office as envisioned by the EPC (founders) and member states



  8. The EPO is Dying and Those Who Have Killed It Are Becoming Very Rich in the Process

    Following the footsteps of Ron Hovsepian at Novell, Battistelli at the EPO (along with Team Battistelli) may mean the end of the EPO as we know it (or the end altogether); one manager and a cabal of confidants make themselves obscenely rich by basically sacrificing the very organisation they were entrusted to serve



  9. Short: Just Keep Repeating the Lie (“Quality”) Until People Might Believe It

    Battistelli’s patent-printing bureau (EPO without quality control) keeps lying about the quality of patents by repeating the word “quality” a lot of times, including no less than twice in the summary alone



  10. Shelston IP Keeps Pressuring IP Australia to Allow Software Patents and Harm Software Development

    Shelston IP wants exactly the opposite of what's good for Australia; it just wants what's good for itself, yet it habitually pretends to speak for a productive industry (nothing could be further from the truth)



  11. Is Andy Ramer's Departure the End of Cantor Fitzgerald's Patent Trolls-Feeding Operations and Ambitions?

    The managing director of the 'IP' group at Cantor Fitzgerald is leaving, but it does not yet mean that patent trolls will be starved/deprived access to patents



  12. EPO Hoards Billions of Euros (Taken From the Public), Decreases Quality to Get More Money, Reduces Payments to Staff

    The EPO continues to collect money from everyone, distributes bogus/dubious patents that usher patent trolls into Europe (to cost European businesses billions in the long run), and staff of the EPO faces more cuts while EPO management swims in cash and perks



  13. Short: Calling Battistelli's Town (Where He Works) “Force for Innovation” to Justify the Funneling of EPO Funds to It

    How the EPO‘s management ‘explained’ (or sought to rationalise) to staff its opaque decision to send a multi-million, one-day ceremony to Battistelli’s own theatre only weeks before he leaves



  14. Short: EPO Bribes the Media and Then Brags About the Paid-for Outcome to Staff

    The EPO‘s systematic corruption of the media at the expense of EPO stakeholders — not to mention hiring of lawyers to bully media which exposes EPO corruption — in the EPO’s own words (amended by us)



  15. Short: EPO's “Working Party for Quality” is to Quality What the “Democratic People's Republic of Korea” is to Democracy

    To maintain the perception (illusion) that the EPO still cares about patent quality — and in order to disseminate this lie to EPO staff — a puff piece with the above heading/photograph was distributed to thousands of examiners in glossy paper form



  16. Short: This Spring's Message From the EPO's President (Corrected)

    A corrected preface from the Liar in Chief, the EPO's notoriously crooked and dishonest President



  17. Short: Highly Misleading and Unscientific Graphics From the EPO for an Illusion of Growth

    A look at the brainwash that EPO management is distributing to staff and what's wrong with it



  18. Short: EPO Explains to Examiners Why They Should and Apparently Can Grant Software Patents (in Spite of EPC)

    Whether it calls it "CII" or "ICT" or "Industry 4.0" or "4IR", the EPO's management continues to grant software patents and attempts to justify this to itself (and to staff)



  19. Links 21/4/2018: Linux 4.9.95, FFmpeg 4.0, OpenBSD Foundation 2018 Fundraising Campaign

    Links for the day



  20. As USPTO Director, Andrei Iancu Gives Three Months for Public Comments on 35 U.S.C. § 101 (Software Patenting Impacted)

    Weeks after starting his job as head of the US patent office, to our regret but not to our surprise, Iancu asks whether to limit examiners' ability to reject abstract patent applications citing 35 U.S.C. § 101 (relates to Alice and Mayo)



  21. In Keith Raniere v Microsoft Both Sides Are Evil But for Different Reasons

    Billing for patent lawyers reveals an abusive strategy from Microsoft, which responded to abusive patent litigation (something which Microsoft too has done for well over a decade)



  22. Links 20/4/2018: Atom 1.26, MySQL 8.0

    Links for the day



  23. Links 19/4/2018: Mesa 17.3.9 and 18.0.1, Trisquel 8.0 LTS Flidas, Elections for openSUSE Board

    Links for the day



  24. The Patent Microcosm, Patent Trolls and Their Pressure Groups Incite a USPTO Director Against the Patent Trial and Appeal Board (PTAB) and Section 101/Alice

    As one might expect, the patent extremists continue their witch-hunt and constant manipulation of USPTO officials, whom they hope to compel to become patent extremists themselves (otherwise those officials are defamed, typically until they're fired or decide to resign)



  25. Microsoft's Lobbying for FRAND Pays Off as Microsoft-Connected Patent Troll Conversant (Formerly MOSAID) Goes After Android OEMs in Europe

    The FRAND (or SEP) lobby seems to have caused a lot of monopolistic patent lawsuits; this mostly affects Linux-powered platforms such as Android, Tizen and webOS and there are new legal actions from Microsoft-connected patent trolls



  26. To Understand Why People Say That Lawyers are Liars Look No Further Than Misleading Promotion of Software Patents

    Some of the latest misleading claims from the patent microcosm, which is only interested in lots and lots of patents (its bread and butter is monopolies after all) irrespective of their merit, quality, and desirability



  27. When News About the EPO is Dominated by Sponsored 'Reports' and Press Releases Because Publishers Are Afraid of (or Bribed by) the EPO

    The lack of curiosity and genuine journalism in Europe may mean that serious abuses (if not corruption) will go unreported



  28. The Boards of Appeal at the European Patent Organisation (EPO) Complain That They Are Understaffed, Not Just Lacking the Independence They Depend on

    The Boards of Appeal have released a report and once again they openly complain that they're unable to do their job properly, i.e. patent quality cannot be assured



  29. Links 18/4/2018: New Fedora 27 ISOs, Nextcloud Wins German Government Contract

    Links for the day



  30. Guest Post: Responding to Your Recent Posting “The European Patent Office Will Never Hold Its Destroyers Accountable”

    In France, where Battistelli does not enjoy diplomatic immunity, he can be held accountable like his "padrone" recently was


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts