DNS Forgery Pharming - Remotely Force Consumers to Visit Fraudulent Websites Without Compromising any Computer or Network Device

    The "DNS Forgery Pharming" is an attack that can remotely force consumers to visit fraudulent websites without compromising any computer or network device. The new attack affecting most Internet users has been demonstrated by Trusteer CTO and security researcher Amit Klein. The most popular DNS server today is BIND (Berkeley Internet Name Domain) developed and maintained by the Internet System Consortium (ISC). Trusteer CTO and security researcher Amit Klein has cracked BIND's random number generator and demonstrated the new type of attack. When a user enters a domain address such as www.bank.com into the browser's address bar, the operating system needs to find the IP address associated with this domain address to connect the user to the website. This is achieved by transparently sending a Domain Name System (DNS) query to a DNS server, which is basically a large repository of domain addresses and their associated IP addresses. The DNS server returns a DNS response that includes the IP address of the requested website.

    The security researcher and Trusteer's CTO, Amit Klein, has revealed a severe flaw in BIND's implementation which offers fraudsters the possibility to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. Using this vulnerability fraudsters can remotely forge DNS responses and direct users to fraudulent websites. The fraudulent website can steal the user's sign-in credentials or tamper with the user's communication with the website. BIND implements a standard DNS security mechanism, based on a randomly-generated number to avoid DNS response forgery. This mechanism prevents fraudsters who do not control the route between the user and the DNS server from forging DNS responses and directing the user to the wrong server.

    Klein stated: "This is a devastating attack. B targeting a specific ISP's DNS server the fraudster can easily direct all ISP users to a fraudulent website each time the user tries to access the real website. There is nothing the user can do to prevent the attack." This type of attack is also known as Pharming and up until recently the common belief was that fraudsters need to compromise either the user's computer or the DNS server itself to launch the attack. This flaw offers the possibility to launch a Pharming attack which works even if the user's computer and the DNS server are highly secured.

For more information visit http://www.trusteer.com/docs/bind9dns_s.html .