Trusteer Warns ISPs and Enterprises to Protect Consumers from New Pharming Attack

Trusteer Warns ISPs and Enterprises to Protect Consumers from New Pharming Attack

Most Internet users may be at risk of new DNS Forgery Pharming Attacks. ISPs and Enterprises are advised to patch their DNS servers to avoid the attack.

Trusteer announced today that its CTO and security researcher Amit Klein has cracked BIND’s random number generator and demonstrated a new attack affecting most Internet users. In this “DNS Forgery Pharming” attack fraudsters can remotely force consumers to visit fraudulent websites without compromising any computer or network device.

What are DNS and BIND?
When a user enters a domain address such as www.bank.com into the browser’s address bar, the operating system needs to find the IP address associated with this domain address to connect the user to the website. This is achieved by transparently sending a Domain Name System (DNS) query to a DNS server, which is basically a large repository of domain addresses and their associated IP addresses. The DNS server returns a DNS response that includes the IP address of the requested website. The most popular DNS server today is BIND (Berkeley Internet Name Domain) developed and maintained by the Internet System Consortium (ISC).

About BIND’s Random Number Generator
To avoid DNS response forgery, an attack in which the fraudster sends a spoofed response with a bogus IP address to the requesting computer, BIND implements a standard DNS security mechanism, based on a randomly-generated number. This mechanism prevents fraudsters who do not control the route between the user and the DNS server from forging DNS responses and directing the user to the wrong server.

How BIND Random Number Generator Can be Breached
However, security researcher and Trusteer’s CTO, Amit Klein, has discovered a severe flaw in BIND’s implementation which allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. Using this vulnerability fraudsters can remotely forge DNS responses and direct users to fraudulent websites. The fraudulent website can steal the user’s sign-in credentials or tamper with the user’s communication with the website.

“This is a devastating attack,” said Klein, “by targeting a specific ISP’s DNS server the fraudster can easily direct all ISP users to a fraudulent website each time the user tries to access the real website. There is nothing the user can do to prevent the attack.”

A DNS manipulation attack is also known as Pharming and up until now the common belief was that fraudsters need to compromise either the user’s computer or the DNS server itself to launch the attack. This flaw enables launching a Pharming attack which works even if the user’s computer and the DNS server are highly secured.

Recommendations
Trusteer advises ISPs and Enterprises that manage a BIND 9 DNS server in a caching configuration to apply the latest patch released by the ISC. Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user’s computer or the DNS server but rather the cached data on the DNS server. Mutual authentication solutions, such as Trusteer’s Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack.

Further Information
The vulnerability was first reported to ISC on May 29th 2007.
A fix was released on July 23rd, 2007. BIND administrators should upgrade to BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6.
Affected systems: All versions of BIND 9 in caching name server configuration
CVE: CVE-2007-2926
Trusteer’s research paper is available at: http://www.trusteer.com/docs/bind9dns_s.html

About Trusteer
Trusteer is a privately held corporation founded by senior Internet security industry executives with specific expertise in enterprise and consumer desktop security. The firm’s flagship product, Rapport, protects online business from “client-side” attacks such as phishing, pharming, key logging, man-in-the-middle, man-in-the-browser, and all other client-side identity threats and financial fraud attacks. Unlike conventional approaches which provide only partial solutions, Trusteer’s revolutionary prevention approach protects by controlling the risks involved in numerous client-side threats.