General Information

Bind is an open source DNS server software used by Linux and Windows system. On July 27th 2009, the exploit code of a vulnerability in Bind was published allowing hackers to attack and exit domain resolution service of Bind.

Technical Details

Dynamic Updates is a protocol of DNS (rfc2136) that allows adding and deleting information on domain name records on DNS server. The recently vulnerability is found in the module handling this protocol of Bind.

Here comes the basic format of a Dynamic Updates message:

      +---------------------+

      |        Header       |  

      +---------------------+

      |         Zone        |  Zone (domain name) that needs updating.

      +---------------------+

      |     Prerequisite    |  Does the record exist?

      +---------------------+

      |        Update       |  Change or delete the record?

      +---------------------+

      |   Additional Data   |   

      +---------------------+

Error occurs when Bind processes the Prerequisite field of the above message. More precisely, providing that the domain name record exists on the DNS server and its type as indicated in Prerequisite field is “ANY”, two badly-written lines of code of Bind will terminate the process and Bind thereafter is no longer able to satisfy subsequent domain name resolution requests.

Taking advantage of this vulnerability, hackers could easily perform denial of service (DOS) attack against DNS server that uses Bind, which might cause serious effect as DNS is the most important service on the Internet.

Solution

Rating this vulnerability critical, Bkis recommends that administrators and organizations providing DNS service using Bind update Bind to the latest version here.

 Bkis Security

Bkis, as a member of APCERT, received a request from KrCERT (Korean Computer Emergency Response Team) to investigate the incident that was performing DDoS attacks on websites of South Korea and the US.

We have analyzed the malware pattern that we received from KrCERT and have located the botnet controlled by 8 Command and Control (C&C) servers via controlling code embedded in a file named “flash.gif”. Every 3 minutes, zombies randomly select one of the 8 servers to connect to and to receive orders. Especially, we found a master server located in UK which controls all of the 8 C&C servers to make a series of cyber-attack last week. So the source of the attacks has been identified to be in UK. The existence of master server has never been reported before.

In order to locate the source of the attacks, we have fought against C&C servers and have gained control of 2 in 8 of them. After analyzing the logs of these 2 servers, we discovered the IP address of the master server, which is 195.90.118.xxx. This IP is located in UK. The master server is running on Windows 2003 Server Operating System..

During the past few days, the number of zombies has been estimated to be 50,000 by Symantec and about 20,000 by Government of South Korea. But, by taking control of two C&C servers and analyzing logs on these servers, we count the exact number of zombies that have been querying C&C servers to receive commands. Accordingly, there have been 166,908 zombies from 74 countries around the world that have been used for the attacks.

Top 10 zombies host countries

Having located the attacking source in UK, we believed that it is completely possible to find out the hacker. This of course depends on the US and South Korean governments. We have sent KrCERT and US-CERT the IP address of the attacking source.

Nguyen Minh Duc

Senior Security Researcher / Bkis Security Director

Bkis has sent the detail of research and the information of the master server in UK to US-CERT and KrCERT.

At present, US-CERT and KrCERT are cooperating to investigate the attack source.