The DNS cache poisoning exploit is posing a serious threat of large-scale attack to DNS server systems not only in Vietnam but all over the world. This is a critical vulnerable, especially when hackers have been successful in exploiting it. The problem is that server managers have not had any tools to check if their system is in danger or not, which makes them very puzzled. And one more question, if their systems have the flaw, how could they apply the patch?

On 07/25/2008, Bkis, from Hanoi University of Technology, Vietnam has released BkavDNSCheck, new software checking for Dan Kaminsky DNS flaw.

The advantage of this software is that BkavDNSCheck could solve the limitation of Dan’s Tool (http://www.doxpara.com). BkavDNSCheck is able to test exactly the specific DNS Server which DNS Administrator want to check, while Dan’s Tool could only test the last top DNS server (not owned by the checker – DNS Administrator).

Together with launching the software, Bkis has given out some articles on how to apply patch against this flaw for vulnerable systems, thus keeping Vietnam DNS systems away from a hazardous large-scale attack.

Recommendations to Network Administrators

To check the systems for this flaw, administrators should follow these steps:

1. Download and run “Bkav DNS Check” software here: http://www.bkav.com.vn/DNSCheck/BkavDNSCheck.exe
2. Use BkavDNSCheck to check your own DNS server is vulnerable to DNS Cache Poisoning or not. For details, please, follow this link: http://security.bkis.vn/?p=71

If the system is reported as containing the flaw, follow these steps to fix it:

1. Check for the venders of the vulnerable system (Microsoft, Red Hat, …)
2. Apply appropriate patches for the system:

Recommendations to Individual Users:

Be cautious when accessing the internet during this period. If encountering any unusual happening when visiting familiar websites, you should contact administrators of your companies or organizations, or ISP helpdesk as soon as possible, so that in-time solution could be carried out. You should have your operating systems patched and install some antivirus programs to be protected from malicious code as well.

Technical description of the Subdomain Exploit DNS Cache Poisoning Flaw

DNS protocol is an address resolution protocol used for mapping between domain names and correlative IP addresses. According to this protocol, when a DNS server receives an address resolution request from its clients, it will look up in the cache and reply with the IP address appropriate to the requested domain name. However, if the domain name has not been cached, the DNS server will forward the request to another DNS server. It is this phase that has been detected to contain the serious vulnerable, the exploit of which has been spread over the internet for several days.

Here comes the method that has been used by hackers in the exploit: Hackers (say computer H) sends a mass of address resolution requests to the DNS server chosen as a victim (say server A). The domain names to be resolved have been prepared so that server A could not found them in the cache and thus has to relay the requests to the subsequent DNS server (say server B). Each resolution exchange between A and B is authenticated by a random transaction ID (TID). The Achile’s Heel is that this TID is merely a 16 bit number (smaller than 65535) and every communication between A and B are made through a fixed port.

In order to make a DNS cache poisoning attack, before server A receives replies from server B, hacker continuously sends crafted packets spoofing B’s replies to that fixed port of A. If only one of these spoofed packets has the same TID as that of the packet server A have been waiting for, it would be accepted by A as a legal one and be cached. From this point, the actual replies from server B are not to be used by A. In this way, a hacker will able to poison the cache of server A, force it to map the domain name being attacked on the IP address specified by him.

Having appeared for the first time in the 1990s, DNS cache poisoning flaw has been exploited in many different methods. This is a weakness in the design of the Domain Name System. For each of those exploitation methods, DNS Server venders have released accordingly preventative patches to sort out the problems. But hackers have found a new attacking method recently and continued to make use of this DNS cache poisoning flaw.

The key in this recently reported exploit is that hackers use subdomains to generate legitimate address resolution requests. These subdomains are created randomly in large amount ensuring that they have not already existed in the cache of server A, and therefore, forcing server A to generate an equivalent amount of forwarding requests to server B. As a result, the probability that a spoofed packet crafted by hackers has the same TID as that of the packet being waited by server A would increase considerably. Hackers would thus have more opportunities to successfully attack the cache of server A.

CHECKING FOR DNS CACHE POISONING VULNERABILITY

(Document for Network Administrators)

To check if your DNS servers are affected by DNS Caching Poisoning Vulnerability or not, follow the following three steps:

1. Configure the DNS server which being checked (Important).
2. Use BkavDNSCheck.exe to check.
3. Apply patch if affected.

1. Configure the DNS server which being checked (Important).

You need configure the DNS Server Forwarders function on the DNS server which being checked, pointing the domain name BkavDNSCheck.vn to IP Address 203.162.1.239 (The server contains checking software).

This section helps you to configure on 2 popular DNS servers:

• Microsoft DNS Server
• BIND

1.1. Configure the server using Microsoft DNS Server

• Logon to DNS Server Administration Interface
• Right click on DNS Server, then select Properties

• Select Forwarders tab

• Press New, type BkavDnsCheck.vn into DNS domain box and press OK

• Type 203.162.1.239 into Selected domain’s forwarder IP address list

• Press Apply and OK

1.2. Configure the DNS Server using Bind

• Note: only apply this step if you used Bind software   
• Add this configuration into file /var/named

• Restart  DNS service

2. Use BkavDNSCheck.exe to check

Subdomain Exploit DNS Cache Poisoning checked scheme

2.1. Download the BkavDNSCheck.exe software

• Download BkavDNSCheck.exe at http://www.bkav.com.vn/DNSCheck/BkavDNSCheck.exe

2.2. Setup DNS server information on the machine running BkavDNSCheck.exe  

• On the client running BkavDNSCheck.exe, open the Internet Protocol (TCP/IP) Properties windows.
• Important: Change the IP address of Preferred DNS Server field to IP private address of the DNS server which being checked (see the image)

2.3. Running check

• Run BkavDnsCheck.exe

• Press Scan and wait (about 60 seconds)
• See the result in 3 cases:

Case #1: DNS Server is not affected by the DNS Cache Poisoning vulnerability. You do not have to do anything; your DNS server is safe.

Case #2: Your DNS Server is affected by the DNS Cache Poisoning vulnerability. You need apply patch following the 3^rd section.

3. Apply patch

After scanning by BkavDNSCheck tool, if your DNS server is vulnerable to cache poisoning, you need to update the patches, in order to prevent from DNS cache poisoning attacks

Following these steps: 

3.1. Specify the software:

• Specify the vender of the DNS server software used to resolve the address (Microsoft, Red Hat, …)

3.2. Apply patch matched your system  

Lots of gamers have recently been attracted to some websites named “hack game”. Arcording to the investigation held by Bkis center, this is actually a kind of phishing attempting to acquire sensitive information such as usernames, passwords and credit card details of gamers.

These phishers created websites claiming that they were able to “hack” some online games, those that are of the most prevalent such as Võ lâm Truyền kỳ (Vinagame), Thiên Long Bát Bộ (FPT Online), Audition (VTC Games)… It was said that gamers could gain an amount of virtual money much more greater than usual if they submitted their money to these websites when they bought a new game card.

Howerver, after having put their money into the websites, gamers would have their card information sent straight to the phishers’ email without having new money added to their game accounts. 

In order to fool victims, those cheater had already prepared several websites imitating the interfaces of official ones of online game providers. For each of money depositing forms (online depositing, SMS depositing), they made a corresponding fake website, with appropriate logo of the service providers such as VinaGame, FPT, VTC, Entrust… Therefore, if not careful, customers could mistakenly take them as the legal sites and be deceived. This is a kind of social engineering techniques where phishers uses such a big profit to trick online game customers into their deceit.

Even though having dropped out of the top 5, which is the first time since Dec 2007, W32.Dashfer still continues to pose a major threat to PC users in Vietnam. Last month, a large number of Vietnam Hosting Service Providers’s servers have face the problem of this virus. As a result, each time accessing to these servers, visitors would see some malicious iframe attached into websites’ content.

Acording to Bkis’s analysis, this situation is caused by some new variants of the W32.Dashfer virus. From one infected server, using Address Resolution Protocol (ARP), Dashfer send broadcast packets to all other servers in the same Local Area Network, and acting as the fake default gateway of the system. In this method, any traffic meant for the default gateway would be mistakenly sent to the infected server instead, which would modify the data before forwarding it (man-in-the-middle attack). More precisely, the websites hosted on these servers would have an malicious iframe attached to it before responding to the clients.

Acting sheme of W32.Dashfer inside infected web server system

Because of the fact that W32.Dashfer modifies the responses of all servers in the same area, the impact of it might be on a very large scale, and all visitors to websites hosted on these servers would encounter the specified problem. To solve this, HSPs should have their server system infrastructure redesigned to be protected against ARP poisoning attack within the LAN, and should apply an overall virus prevention solution as well.

Those happenings have appeared in almost all largest HSPs in Vietnam.

1.256.000 PCs in Vietnam have been infected by a Chinese virus named W32.Kavo and its variants in June 2008. The statistic result given by Bkis virus supervisory system also shows that there were 639 new variants of Kavo found in the wild in this month, which means 21.3 new variants daily and sets a new record of virus varying speed.

Since its first appearance on 09/11/2007, W32.Kavo has had 3.191 variants seen on the Internet. Infected systems are reported to be taken complete control by attackers, be stolen sensitive imformation, unable to display files with hidden attribute set and have Yahoo!Messenger been out of order.

Using Hook Message technique, W32.Kavo hooks itself to the memory allocated for every GUI processes being executed on the computer. In this way, Kavo will be able to  search the memory and reveal users’ account passwords. Due to a programming error; howerver, when interfering in Yahoo!Messenger’s memory, it causes a memory exception, consequently crashing the complete Yahoo!Messenger processing. On that account, a lot of Yahoo!Messenger users in Vietnam encounter the problem of  having this program crashed each time they sign in.

To be safe from this, you should download the lastest version of Bkav from www.bkav.com.vn.