Pharming Attacks Through DNS Cache Poisoning

A month ago, a detailed assessment of a recently released vulnerability in BIND9 was conducted by Amit Klein to highlight the wide impact typical nameserver vulnerabilities have in general, and this one in particular. Now that an exploit is available as well, the possibility for large scale pharming attacks in an automated fashion, becomes fully realistic :

A program has appeared on the Milw0rm exploit portal which is able to exploit the recently reported vulnerability in the BIND9 nameserver. Transaction IDs can be predicted or guessed relatively easily, so the cache of a vulnerable nameserver can be poisoned. Phishers can use cache poisoning for pharming attacks on users by manipulating the assignment of a server name to an IP address. Even if the user enters the name of his bank in the address line of his browser manually, he will still be taken to a counterfeit web page.

Pharming, like any other threat usually receives a cyclical media attention, either prompted by a massive discovered attack, or to build awareness on an advanced phishing scheme to come in a typical “focus on current instead on emerging trends” mindset. How would access to a namerserver be obtained if not by hacking into it? The never-ending underground economy’s supply of goods model indicates that certain goods such as access to breached FTP, Web and DNS servers change value over time through the release of such exploits. So suddenly, an access to a namerserver gets a higher valuation than usual.

I’ve been using a handy Firefox add-on to keep track of the constantly changing IPs of various cyber jihadist forums and web sites for quite some time now. The tool is actually pitching itself as an anti-pharming add-on you ought to evaluate for yourself :

SCM performs Site Continuity Management validations on websites to help prevent Pharming attacks. Pharming attacks are an advanced form of Phishing where an adversary poisons the data held in the user’s DNS server. SCM is believed to be the first add-on to protect users from this advanced attack.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *