Companies and users are at serious risk from a loophole in the the Domain Name System (DNS) that could make financial scams such as phishing attacks practically undetectable, according to a study presented this week by researchers from Georgia Tech and Google.
The researchers, David Dagon, Chris Lee and Wenke Lee of Georgia Tech, and Niels Provos of Google, formally presented their study "Corrupted DNS Resolution Paths" on Monday at the Network and Distributed System Security Symposium (NDSS) in San Diego.
The attack they describe, called "DNS resolution path corruption", could be carried out by a simple piece of code implanted via a malicious website or email attachment, the study said. The code would change a file in the Windows registry settings, telling the PC to use the malicious server for all DNS information.
This would allow scammers to invisibly guide users to the malicious sites of their choice, getting around security tools such as anti-phishing software.
The exploit described in the new paper could lead to serious financial liabilities, according to DNS inventor Paul Mockapetris. In a published report this week he said it is only a matter of time before a crook makes off with up to $100m in a successful attack on a corporation.
The problem is "open recursive" DNS servers, which are used to tell computers how to find each other on the internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks, according to the study.
The researchers estimate that there are 17 million open-recursive DNS servers on the Internet, the vast majority of which give accurate information. Unlike other DNS servers, open-recursive systems will answer all DNS lookup requests from any computer on the Internet, a feature that makes them particularly useful for hackers.
The researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.
Attacks on the DNS system are not new, and online criminals have been changing DNS settings in victim's computers for at least four years now, Dagon said. But only recently have the bad guys lined up the technology and expertise to reliably launch this particular type of attack in a more widespread way. While the first such attacks used computer viruses to make these changes, lately attackers have been relying on web-based malware.
Using Google's network of web crawlers, researchers uncovered more than 2,100 Web pages that used exploit code to change the Windows registry of visitors.
IDG News Service's Robert McMillan contributed to this report.