Full Disclosure mailing list archives
Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]
From: "XSS Worm XSS Security Information Portal" <cross-site-scripting-security () xssworm com>
Date: Wed, 21 Nov 2007 21:45:35 +1100
*Domain Name System Hijacked: Hackers Abuse Domain-Name Trust* *InternetWorld's ** Andy Patrizio<http://www.internetnews.com/feedback.php/http://www.internetnews.com/security/article.php/3712071> **and Finjan's Yuval Ben-Itzahk <http://finjan.com/> discuss the fundamental weaknesses in Finjan's Blacklist-based URL Filtering products ** * Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by *hijacking IP addresses*. And they tried it on Yahoo. To fix the old problem, server-based *security products* would *trace the IP address* of the server behind the domain. Once *the IP address resolved the misspelled domain name *, the *products *would then compare the IP address against a *database of known fraudulent sites* or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access. [image: Finjan's sBen Itzakh on Web 2.0 Risks] " Web 2.0 sites are great fun but also a great platform for hackers to host malicious code." - Ben Itzahk from Finjan on why his product is still relevant. In the case of Yahoo, security firm Finjan said *hackers exploited an unused IP address within Yahoo's hierarchy and used that as the domain address behind a forged Google Analytics domain name*. This fooled the Finjan Web-filtering product into believing a person was going to a *highly trusted Yahoo domain*. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan's Web-filtering product.) "They managed to resolve the domain name to an IP address owned by Yahoo. *How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown *," Yuval Ben-Itzhak, CTO of Finjan, told * InternetNews.com*. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address. [image: finjan network security product] "You can upload anything you like, so you can upload malicious content, as well." - Ben-Itzahk on design flaws within Finjan's Web-filtering product. *Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said **that's a flaw in social networks <http://xssworm.com/>.* "In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well," said Ben-Itzhak. "You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code <http://xssworm.blogvis.com/category/Malicious-code> this year." Ben-Itzhak said *server-based security is still the primary mode of defense*but also recommended *browser plug-ins, such as Finjan's SecureBrowsing * or SnakeOil's HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it's suspicious. *InternetWorld* - Hackers Abuse Domain-Name Trust<http://www.internetnews.com/security/article.php/3712071> [image: Finjan RUSafe Typical Product] *"With Finjan's web security there will be no need to worry about getting caught napping by the latest round of web-based threats" - SC Magazine* * * *Giorgei Jorge [xssworm <http://xssworm.com/?giorgei>] writes:* After explaining that Finjan's server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is 'highly trusted' such as Yahoo.com .. it's patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan's server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support. To ensure that all web sites are thoroughly tested to ensure that they belong only to *"highly trusted domains" such as yahoo.com* it is recommended that users install Finjan's SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only *highly trusted domains such as yahoo.com* are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan's server-based web-filtering product and Finjan's server and desktop email malware badware and anti-virus filter scanning products and Finjan's Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these *new threats to your information assets.* Many thanks Giorgei for this report. vaj. -- Francesco Vaj [CISSP - GIAC] Senior Memetic Engineer mailto: vaj () nospam xssworm com aim: XSS Cross Site ------ XSS Cross-Site Faxing DNS Fast Fluxing and Advanced Web 2.0 Vulnerability Blog (tm) 2007 http://www.XSSworm.com/ ------ "Vaj, bella vaj."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC] XSS Worm XSS Security Information Portal (Nov 21)
- Re: Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC] Paul Schmehl (Nov 21)
- Re: Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC] Gadi Evron (Nov 21)
- Re: Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC] Paul Schmehl (Nov 21)