At 05:46 PM 8/15/03 -0700, Bill Stewart wrote:
At 01:19 PM 08/15/2003 -0700, Major Variola (ret.) wrote:
Suppose malware appends a bogus entry to an infected machine's /etc/hosts (or more likely, MSwindows' \windows\blahblah\hosts file). (This constitutes a DNS attack on the appended domain name, exploiting
the local hosts' name-resolution prioritization.) If the appended IP address points to the same victim (66.66.66.66) on all the virus-infected machines, and the appended (redirected) domain name is popular ("google.com"
Cute, but sounds like a lot of work compared to other obvious attacks you could do if you're spreading a virus anyway.
Yes if you have virally owned a machine you can do much nastier. But this attack has the advantage that its effects would not be immediately recognized, nor could they be fixed in one spot once detected. Evolved diseases don't kill their hosts. Google is too useful to redirect. On the other hand, you can redirect an entire TLD (eg .mil), albeit on one machine at a time. Try doing that to one of The DNS Roots (pbut).
The more popular version of this attack is to try to hack DNS servers, or poison DNS requests, so that DNS requests for google report the wrong thing.
Yes I've followed discussions about SecDNS etc before. The cute part of the local hostsfile attack is that local machines are *not* administered competently, whereas DNS servers (and even ISP caches) are more likely tended better.
One problem with hacking the hosts files is that different versions of Windows tend to put them in different places, though perhaps if you target XP and 2000 and ME and 98 it's consistent enough to work.
OS detection is trivial once in.. as is file/path detection. I bet a javascript program could do it, if the client security settings (ACLs) were poor.
The real question is whether the bad guys would redirect to a victim, or to a fake web server run by them, so they could hand out bogus responses, such as redirects to various places around the web, potentially along with some advertising banners.
That's the virus author's choice, of course. In fact, I first thought of the attack as a DNS-redirect on domain names ---intending on random (or even localhost) misdirection. Upon thinking about it, the utility of all those 9AM Monday clicks became apparent. Diagnosing the situation would be a bushel of fun in the first hours either way.
If it's a virtual server machine, though, you can't do that without disrupting all the clients on it, which is too bad;
Hadn't thought of virtual servers... "all your eggs in one basket" :-)
If it's a router, that's a more interesting problem,
You're right, routers merely drop port 80 incoming, any router DoS depends on sheer bandwidth --say routing the NYTimes.com clicks to Podunk-BackwaterTimes.com
because many routers have wimpy CPUs and do the routine work in ASICs -
ASICs are great except for exception handling, which is a vulnerability. I was working on Intel's network processors earlier this year. Amazing chips--they have hardware support for everything you do in an IP stack, buttloads of memory controllers, I/O up the kazoo, and a dozen hardware-supported thread contexts (hyperthreading) on each of a dozen high-clockrate RISC engines. But they all defer exception packet processing to the onboard ARM, which might alert the host system or at least log the exception by incrementing a counter. But the ARM is not as fast as the threads and could perhaps be overwhelmed. Perhaps the subject of a future Gedanken Design Idea. ----- "When the rotary telephone first came out, people said, 'You mean I have to dial seven numbers?' "