Feeds

DNS flaw reanimates slain evil sites as ghost domains

Life after death trick could be exploited by cyber-crooks

Intelligent flash storage arrays

Analysis Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS).

A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team of researchers from universities in China and the US. These DNS servers are critical to the running of the internet: they convert human-readable domains into numeric addresses that networking kit can understand in order to route, say, page requests to the right websites.

In their paper Ghost Domain Names: Revoked Yet Still Resolvable, the researchers – Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu – explain:

Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.

In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.

Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 per cent of the servers will still resolve it.

The researchers found that DNS server implementations by BIND, Microsoft and OpenDNS are all potentially vulnerable. There's evidence that the vulnerability has been exploited, and the prevalence of the flaw make the possibility of attack far from theoretical.

"This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry," the Sino-American team warns.

The academics suggest various approaches towards mitigating the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.

Jack Koziol, a director at the InfoSec Institute, a Chicago-based security biz, told El Reg that ghost domain DNS trickery might be used by cyber-crooks to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. He thinks the flaw will be tricky to correct.

Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc).

"Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the internet."

Prateek Gianchandani, a security researcher at the institute, has published a detailed analysis of ghost domain problem, including screenshots of DNS lookups to illustrate the risk, here.

The InfoSec Institute hasn't seen the flaw exploited in anger as yet, but nonetheless considers it a serious risk. "We don't have documented proof yet, but have a few scripts running to watch for it," Koziol explained.

Cricket Liu, a DNS book author, expert and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.

"It is a threat, but I think it's worth pointing out that it's relatively simple to prevent," Liu explained. "By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."

"DNSSEC offers another layer of protection; zones that have been signed don't have this problem. (Of course, that's incentive for bad guys not to sign the zones they use for their malicious purposes.)"

The high-water mark of DNS security flaws was set by a widespread cache poisoning problem famously identified by security researcher Dan Kaminsky back in 2008. Liu reckons the ghost domain flaw is nowhere near as severe - not least because it doesn't involve a flaw in the DNS protocol itself, unlike the earlier Kaminsky mega-bug.

"This vulnerability and the Kaminsky vulnerability are very different," he explained. "This new one doesn't let you inject arbitrary data into a cache, it only lets you maintain some existing data in a cache; it is worth noting that the impact is minimal if the vulnerability is actually executed." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.