Microsoft hands out antidote to poisoned URLs

Recommends changing server software configurations to help protect against DNS cache poisoning, a technique used in online attacks.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
3 min read
In response to a heightened security alert, Microsoft has updated its customer advisories for protecting its server software against DNS cache poisoning attacks.

The software giant revised its recommended settings for some Windows Server products late Wednesday, clarifying which default configurations could leave computers open to the DNS poisoning threat. The security update was triggered by a report from the Internet Storm Center that it had received notices of a number of DNS cache poisoning attacks.

DNS cache poisoning involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. The scheme typically redirects Internet users to bogus Web pages where they may be asked for sensitive information or have spyware installed on their PCs, an online assault that has also become known as "pharming."

In early March, ISC first warned of DNS cache poisoning attacks that were redirecting users to Web sites hosting malicious software, including spyware. The attacks involved several different technologies, including Microsoft server software and security applications made by antivirus specialist Symantec.

A second round of attacks in late March attempted to funnel Web surfers to sites that marketed prescription medications, and the spyware attacks reappeared over the course of the last week, the ISC said.

In a posting to the watchdog group's Web site, ISC researcher Kyle Haugsness said that the individuals launching the DNS attacks continue to shift their strategies to prey on those who have not updated their server settings.

"After monitoring the situation for several weeks now, it has become apparent that the attacker(s) are changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive," Haugsness wrote in the report.

The issue affects Windows Server 2003 (standard, enterprise and datacenter editions), Windows 2000 Server (also the advanced and datacenter versions) and Windows NT Server 4.0 standard edition, Microsoft said in its advisory. Servers with Service Pack 3 installed, or that run software sold after the update was released, are already protected from DNS cache pollution by default. Otherwise, the needed settings must be turned on using the products' DNS Management Console.

ISC also outlined a second DNS cache poisoning scenario that exploits Microsoft products. Windows DNS servers, when they forward data to another server, expect the other servers to "scrub out" cache poisoning attacks. However, ISC said that in some cases, Windows DNS servers accept all data they receive in such transactions, regardless of their settings. The group recommended that people check to make sure that their server software is filtering out the DNS threats.

The increased frequency of DNS cache poisoning attacks led ISC to raise the threat rating for the problem to "yellow," indicating the emergence of a "significant new threat." The group's Infocon Internet infrastructure safety barometer, which tracks the gravity of threats to the Web's backbone, is similar to the color alerts used by the U.S. Department of Homeland Security.

While the yellow rating is only the third most severe score on ISC's four-color scale, it's worth noting that the group previously applied the same ranking to some of the Web's worst virus attacks, including the MSBlast and Slammer epidemics.