Kudos to Gary Warner and his Operation Ghost-Click coverage
APWG Global Phishing Survey: Phishers like it cheap or free

The color of lies: DNSchanger, error resolution services, and ProtectIP/SOPA


Operation Ghost Click/DNSchanger dismantled a long running criminal exploitation of the domain name system. As the name of the malware suggests, DNSchanger interfered with the expected and intended behavior of domain name resolution by causing the DNS to return different IP address information when Internet users try to resolve certain domain names from the addresses the owner of the domain name intended. In the case of DNSchanger, the false information returned enabled criminals to defraud Internet advertisers (click ad or pay per click), collect bogus credit card payments, and prevent users from updating or patching security software (See Gary Warner's post for an excellent, detailed analysis).

The criminal intent of the actors here is quite apparent. DNSchanger forces the DNS to tell lies, very black lies. 

Other actors change the DNS in similar ways. 

Service providers who use error resolution services modify and return synthesizedresponses to DNS requests when domains do not exist (NXDOMAIN). Whether you call these responses synthesized, conjured, or "made up," they are at best grey lies for several reasons. While certain Internet users may benefit from a helpful positive response over a non-existent domain, the registered domain name holder has no control over what this response looks like and does not profit from any proceeds resulting from the redirection.

Synthesized responses also have the potential to put the domain name owner and users at risk: analyses by Dan Kaminsky [1] and Bruce Schneier [2] demonstrate that it's possible to hack the web pages users are redirected to by using iframe, Javascript or other injection techniques; thus, in certain circumstances, synthesized responses may have the same impact as black lies.

Recent bills under consideration in the US Congress - S.968 ProtectIP and H.R.3261 SOPA -contain provisions for the DOJ to issue court orders that compel DNS operators to (i) block resolution of domains that are allegedly associated with online piracy and brand infringement (ii) return synthesized responses, a.k.a., a Text of Notice, stating that "an action is being taken [against the domain name owner] pursuant to a court order obtained by the Attorney General".

Supporters of these bills believe that these synthesized responses are white lies. Those who oppose the bill see them as grey or black. Respected members of the Internet technical community note in a white paper that blocking (DNS filtering) creates serious security and operational problems and is easily circumvented. Others worry 

that the bill overreaches in defining wrongdoing and may easily be abused. Opponents and supporters argue over whether due process protections are upheld or set aside in the interestof protecting copyrights and IP.

What Color is Your Lie?

Comparing how DNSchanger, error resolution services, and Protect IP/SOPA affect users and the DNS sheds some light on why deciding whether redirection is a black, grey or white lie is not a simple matter of black and white.

  Redirection Discussion
DNSchanger Yes To ad fraud or malicious pages
Error Resolution Yes To ad or landing pages
ProtectIP/SOPA Yes To a notice page, text determined by US AG
  Control over Redirection Discussion
DNSchanger Criminal Specific domains are targeted, domain registrant is often unaware that redirection is occuring
Error Resolution 3rd party "Non-existent domain" responses (user sees "page not found), domain name registrant has no control over landing page content or security
ProtectIP/SOPA US AG Domains identified in court order, registrant has no control over landing page content 
  User notification  
DNSchanger No Criminals want malware to operate unobtrusively
Error Resolution Not assured Certain error resolution affiliates may provide notice
ProtectIP/SOPA No US AG may block or sinkhole rather than redirect domain
  Ad revenue  
DNSchanger Yes Criminal profits
Error Resolution Yes Error resolution provider or affiliate(s) profit
ProtectIP/SOPA No  
  Infection from DNS changed sites  
DNSchanger Possible If criminals redirect to affiliate that hosts malicious executables
Error Resolution Possible If criminals hack site to which users are directed
ProtectIP/SOPA Possible If criminals hack site to which users are directed (no site is immune to attack)
  Affect on DNSSEC  
DNSchanger  Bypass The endpoint is compromised, and the malware points the client application to a different resolver that returns different data than requested.
Error Resolution  Disruptive A DNSSEC-enabled resolver that does its own validation will not accept a redirected response nor will it trust an unsigned NXDOMAIN.
ProtectIP/SOPA  Disruptive A DNSSEC-enabled resolver that does its own validation will not accept a redirected response. Indistinguishable from error resolution or other kinds of redirection.
  Remedy: mitigation, circumvention, bypass   
DNSchanger  Not assured  Like all infections, the only certain remedy is to wipe clean and reinstall from scratch
Error Resolution  Not assured  Some providers may offer opt-out to user
ProtectIP/SOPA  Prohibited  Attempts to circumvent may cause US AG to seek injunctive relief

One final example of redirection may lend clarity to the discussion. Organizations that have been phished work with security professionals, law enforcement to identify malicious registrations or compromised servers where phish URLs are hosted. They work in cooperation, often with court orders but always with sufficient evidence of criminal activity that false positives are rare. Once phishing sites are taken down, organizations are encouraged to redirect would be victims to a APWG Phishing Education Landing Page. This is done at the discretion or direction of the phished organization, with full understanding and consent to the content and security of the landing page.

The process is not always as expedient as victims and victimized brands would like, but it is effective and it can be implemented in a manner that doesn't break DNS security, infringe on free speech or abuse due process. But rather than propose bills out of frustration, isn't it worth considering how to improve and accelerate processes that are working, and to consider ways to make them scale and work smoothly, internationally? 

Thanks to Steve Crocker, Joe St. Sauver and Paul Vixie for sanity checks and valuable input.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.