New Pharming Attack Now Exploitable on Microsoft Windows DNS Servers
Most Internet users may be at risk of new Pharming attacks based on DNS cache poisoning. ISPs and Enterprises are advised to patch their DNS servers to avoid the attack.
New York, NY (PRWEB) November 13, 2007 -- Trusteer announced today that the Microsoft Windows DNS Server is vulnerable to a severe DNS cache poisoning vulnerability which allows immediate execution of pharming attacks on consumers. Attackers could steal users' credentials and execute fraudulent transactions through this particular attack mechanism.
The attack was originally revealed this July when Trusteer's CTO, Amit Klein cracked the popular BIND DNS server's random number generator. Following these discoveries, ISC, the consortium behind BIND, has released a patch for BIND 9 and declared end of life for version 8. It is now made public that the Microsoft Windows DNS Server, which is part of the Windows 2003 server, was cracked around the same time and is still vulnerable to the same attack.
The Domain Name System (DNS) translates domain addresses to IP addresses. It is a service consisting of a large number of DNS servers that store both domain addresses and their associated IP addresses. DNS servers communicate with one another to exchange address information. In order to avoid message spoofing, they base their communication on randomly generated transaction IDs.
A research paper released today by Trusteer's CTO Amit Klein, reveals a method of predicting the transaction ID generated by Microsoft Windows DNS servers. By forecasting such transaction IDs, attackers can forge DNS messages and push bogus IP addresses into the DNS system. As a result, consumers would be directed to fraudulent websites each time they try to access legitimate websites. The fraudulent website can be used to steal user credentials and to execute fraudulent transactions.
"This attack especially concerns online financial organizations and merchants" claims Klein. "Attackers can target large ISP networks and direct all users of a specific bank in that network to a fraudulent website. There is nothing the user or the bank can do to stop this attack."
Recommendations
Trusteer advises ISPs and Enterprises that manage a Microsoft DNS Server in a caching configuration to apply the latest patch released by Microsoft. Existing antivirus and desktop security solutions cannot protect against this type of attacks since DNS cache poisoning does not involve the user's computer or the DNS server but rather the cached data on the DNS server. Trusteer's Rapport, a solution for online banks, brokerages, and retailers, which strongly authenticates the destination website and prevents access to unauthenticated websites, defeats this dangerous attack.
Further Information
The vulnerability was first reported to Microsoft on April 30th 2007.
A fix was released by Microsoft on November 13h 2007
Affected systems: Microsoft Windows DNS Server (part of Windows 2003 and Windows 2000 servers)
Trusteer's research paper is available at: http://www.trusteer.com/docs/microsoftdns.html
About Trusteer
Trusteer is a privately held corporation founded by senior Internet security industry executives with specific expertise in enterprise and consumer desktop security. The firm's flagship product, Rapport, helps online banks, brokerages, and retailers secure the consumer desktop from identity theft and financial fraud attacks such as financial Trojans, keyloggers, pharming, and phishing. Unlike conventional approaches which provide only partial solutions, Trusteer's revolutionary prevention approach protects by controlling the risks involved in numerous client-side threats.
Contact:
Rakesh Loonkar
Trusteer
+1(646)247-5669
# # #
|
