Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware
From ...
What is DNS?What is DNS?
And why can it be abused?
What is DNS?
DNS – Domain Name System
DNS translates domain names
meaningful to humans into the
numerical identifiers asso...
Why can DNS be abused?
• Technical side
• Open, distributed design
• Lots of nodes
• Everybody can start one
• Usage of Us...
How can DNS be abused?How can DNS be abused?
Real-world examples
How can DNS be abused?
Instead of going into cool theoretical stuff about techniques of exploiting
DNS itself, I would rat...
Abusing DNS
Simple example: changing user’s DNS settings using ‘hosts’ file
That’s how normal ‘hosts’ file looks like
And ...
Abusing DNS
Simple example: changing user’s DNS settings using relocated ‘hosts’ file
That’s where ‘hosts’ file should be ...
Abusing DNS
Simple example: changing user’s DNS settings using network registry settings
That’s how ‘NameServer’ option sh...
Abusing DNS
More advanced example: Rorpian case
• First of all, malware gets on user’s PC via removable media
• Then, the ...
Abusing DNS
More high-level threat: hacking the routers
• Main security issues
• weak default passwords or no password cha...
Abusing DNS
How to hack million of routers?
Overhyped?
PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 201...
Abusing DNS
Example: 2Wire case
Abusing DNS
Example: D-Link & Tsunami case
Malware goes even inside the router itself!Malware goes even inside the router ...
Abusing DNS
Examples: it’s only the beginning
Abusing DNS
Even more high-level threat: hacking the DNS servers
PAGE 16 | Kaspersky Powerpoint template – Overview | Janu...
Abusing DNS
Last example: mysterious google-analytics.com case
• Several months ago by Kaspersky Security Network (KSN) we...
ConclusionsConclusions
Conclusions
Summing it up
• DNS can be is hijacked/poisoned on every layer of network organization
structure
• Users
• Rou...
Conclusions
Summing it up
• From user side, more things can be done
• Again and again, strong passwords
• Hardening defaul...
Thank YouThank You
Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky Lab
...
Upcoming SlideShare
Loading in …5
×

abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev

326 views

Published on

abusing dns to spread malware

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • its perfect
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
326
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev

  1. 1. Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware From router to end-user Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference
  2. 2. What is DNS?What is DNS? And why can it be abused?
  3. 3. What is DNS? DNS – Domain Name System DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devicesaddressing these devices worldwide DNS is a "phone book" for the Internet Examples: kaspersky.com -> 91.103.64.6 google.com -> 209.85.149.104
  4. 4. Why can DNS be abused? • Technical side • Open, distributed design • Lots of nodes • Everybody can start one • Usage of User Datagram Protocol (UDP) • Unreliable (no concept of acknowledgment, retransmission or timeout) • Not ordered (if two messages are sent to the same recipient, the order in which they arrive cannot be predicted)arrive cannot be predicted) • Human factor • Not well-qualified network administrators • Network security holes • Default hardware configurations • etc. • End-users themselves • The most easy object to abuse!
  5. 5. How can DNS be abused?How can DNS be abused? Real-world examples
  6. 6. How can DNS be abused? Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and malicious programs related to DNS.
  7. 7. Abusing DNS Simple example: changing user’s DNS settings using ‘hosts’ file That’s how normal ‘hosts’ file looks like And that’s an infected example
  8. 8. Abusing DNS Simple example: changing user’s DNS settings using relocated ‘hosts’ file That’s where ‘hosts’ file should be located But it can be relocated and infected And original ‘hosts’ file remains unchanged
  9. 9. Abusing DNS Simple example: changing user’s DNS settings using network registry settings That’s how ‘NameServer’ option should look like But it can be manually changed..But it can be manually changed.. And immediately updated
  10. 10. Abusing DNS More advanced example: Rorpian case • First of all, malware gets on user’s PC via removable media • Then, the magic begins • Malware configures user’s system as DHCP server and starts listening to the local network • If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8) • When a DHCP request from another computer arrives, malicious DHCP Malware infection from any visited resource! • When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one • If the attempt was successful, another computer’s DNS will be changed to malicious one • Which leads to..
  11. 11. Abusing DNS More high-level threat: hacking the routers • Main security issues • weak default passwords or no password change enforcement • insecure default configuration • firmware vulnerabilities & services implementation errors • lack of awareness
  12. 12. Abusing DNS How to hack million of routers? Overhyped? PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011 Not at all.
  13. 13. Abusing DNS Example: 2Wire case
  14. 14. Abusing DNS Example: D-Link & Tsunami case Malware goes even inside the router itself!Malware goes even inside the router itself!
  15. 15. Abusing DNS Examples: it’s only the beginning
  16. 16. Abusing DNS Even more high-level threat: hacking the DNS servers PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
  17. 17. Abusing DNS Last example: mysterious google-analytics.com case • Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google- analytics.com/ga.js • ga.js downloaded from google-analytics.com was clean • But when we got some file from users.. It was infected! It seems like something is wrong with the local DNS • First version redirects user to domain name quehduid.com, which wasn’t even registered! • But still, we received notifications about exploits downloaded using this domain • Analyzed tons of malware which could be connected to this case • Found nothing common to DNS poisoning/hijacking • But found some interesting geographic pattern between versions It seems like something is wrong with the local DNS in these countries, isn’t it?
  18. 18. ConclusionsConclusions
  19. 19. Conclusions Summing it up • DNS can be is hijacked/poisoned on every layer of network organization structure • Users • Routers • DNS servers • DNS was not originally designed with security in mind • Thus has number of security issues• Thus has number of security issues • There are some technical things that can make it more secure • Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses • OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home' • Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries
  20. 20. Conclusions Summing it up • From user side, more things can be done • Again and again, strong passwords • Hardening default hardware settings • Systematic updates of both firmware and software • Remote control through VPN • From hardware vendors side • Unique default passwords for devices • Secure default settings (disable or limit remote access!) • Emphasis on firmware security • From security vendors side • Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.) • Inform user on possible security holes
  21. 21. Thank YouThank You Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference

×