Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]
From: "XSS Worm XSS Security Information Portal" <cross-site-scripting-security () xssworm com>
Date: Wed, 21 Nov 2007 21:45:35 +1100

*Domain Name System Hijacked: Hackers Abuse Domain-Name Trust*

*InternetWorld's ** Andy
**and Finjan's Yuval Ben-Itzahk <http://finjan.com/> discuss the fundamental
weaknesses in Finjan's Blacklist-based URL Filtering products **

Using variations on trusted, popular domains has long been a common tactic
for scammers, spammers and porn sites. But cyber criminals have devised a
new twist on the misspelled domain-name trick by *hijacking IP addresses*.
And they tried it on Yahoo.

To fix the old problem, server-based *security products* would *trace the IP
address* of the server behind the domain. Once *the IP address resolved the
misspelled domain name *, the *products *would then compare the IP address
against a *database of known fraudulent sites* or questionable locations. So
if a site were masquerading as eBay but the filters found it was really a
server in China that had only been established one week earlier, it would
block access.

[image: Finjan's sBen Itzakh on Web 2.0 Risks] " Web 2.0 sites are great fun
but also a great platform for hackers to host malicious code." - Ben Itzahk
from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said *hackers exploited an unused
IP address within Yahoo's hierarchy and used that as the domain address
behind a forged Google Analytics domain name*. This fooled the Finjan
Web-filtering product into believing a person was going to a *highly trusted
Yahoo domain*. The victims, customers of Finjan, never knew they were on a
malicious Web site, and neither did the security mechanisms on the network.
(In this case, Finjan's Web-filtering product.)

"They managed to resolve the domain name to an IP address owned by Yahoo. *How
they added an address into a DNS server to appear to be an IP address owned
by Yahoo is unknown *," Yuval Ben-Itzhak, CTO of Finjan, told *
InternetNews.com*. He added that Yahoo, while responsive and quick to shut
down the compromised address, did not disclose exactly what equipment was
behind the compromised IP address.

[image: finjan network security product] "You can upload anything you like,
so you can upload malicious content, as well." - Ben-Itzahk on design flaws
within Finjan's Web-filtering product.

*Ben-Itzhak thinks something in the server was broken that enabled the bad
guys to push that content down to users without Yahoo knowing. He said **that's
a flaw in social networks <http://xssworm.com/>.*

"In 2007, something very clear has come out: these Web 2.0 sites are great
fun but also a great platform for hackers to host malicious code as well,"
said Ben-Itzhak. "You can upload anything you like, so you can upload
malicious content, as well. On MySpace we found hundreds of pages with
code <http://xssworm.blogvis.com/category/Malicious-code> this year."

Ben-Itzhak said *server-based security is still the primary mode of
defense*but also recommended
*browser plug-ins, such as Finjan's SecureBrowsing * or SnakeOil's
HackerExpert, both of which scan the actual content coming over the wire
from a site and alert the user if it's suspicious.

*InternetWorld* - Hackers Abuse Domain-Name
 [image: Finjan RUSafe Typical Product]

*"With Finjan's web security there will be no need to worry about getting
caught napping by the latest round of web-based threats" - SC Magazine*
* *

*Giorgei Jorge [xssworm <http://xssworm.com/?giorgei>] writes:*

After explaining that Finjan's server-based web security filtering products
fail to actually inspect web content or protect the user in any significant
way .. beyond checking to see if the target domain name is 'highly trusted'
such as Yahoo.com .. it's patently clear that this vendor is totally
qualified to discuss the emerging threats related to Web 2.0, social
networks and distributed passive attacks. It is also clear that Finjan's
server-based products are highly effective, technically advanced, provide
enhanced security for your users and in the context of modern web
vulnerabilities, are totally relevant and obviously worth the many tens of
thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they
belong only to *"highly trusted domains" such as yahoo.com* it is
recommended that users install Finjan's SecureBrowsing product.
SecureBrowsing does not actually check to see if a web site belongs to a
highly trusted domain such as yahoo.com, but it does actually inspect some
of the content in transit to ensure that only *highly trusted domains such
as yahoo.com* are allowed to install components silently into the browser or
take advantage of client vulnerabilities to execute arbitrary code on the
users desktop. When used in conjunction with the Finjan total security suite
of products, including Finjan's server-based web-filtering product and
Finjan's server and desktop email malware badware and anti-virus filter
scanning products and Finjan's Instant Messaging to Highly Trusted Domains
Like Yahoo.com Only Desktop filtering product, the user can be guaranteed
near real-time protection from the most popular and widely reported
malicious DNS host names. Security of the Web 2.0 is still somewhat
dependant on whether hackers can take over unused IP Addresses in Highly
Trusted domains - such as yahoo.com - but rest assured that Finjan
webgineers are working around the clock to combat these *new threats to your
information assets.*

Many thanks Giorgei for this report.

Francesco Vaj [CISSP - GIAC]
Senior Memetic Engineer
mailto: vaj () nospam xssworm com
aim: XSS Cross Site
XSS Cross-Site Faxing
DNS Fast Fluxing and Advanced Web 2.0 Vulnerability Blog (tm) 2007
"Vaj, bella vaj."
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]