New Internet browser threat sneaks by traditional defenses
Internet browser threat 'DNS rebinding' alters nothing and is impossible to trace, researchers say
By Tim Greene, Network World
March 16, 2010 03:39 PM ET
An undetectable browser exploit that bares corporate networks to attackers tops the list of the most potentially effective new attacks that have been devised by researchers seeking vulnerabilities to take advantage of, according to a study by White Hat Security.
The one attack deemed most serious is called DNS rebinding in which attackers turn victims' browsers into Web proxies that do the attackers' bidding, says Jeremiah Grossman, CTO of White Hat Security who, with the help of other experts, compiled the top 10 list of new threats as he has each year since 2006.
The attack works by tricking browsers into seeking internal servers on the victim's network under the direction of the attacker, who can order it to find and send corporate data to an outside machine, Grossman says. The browser exhibits no behavior out of the ordinary, and DNS servers are not tampered with, he says.
"It's pretty much impossible to see. It leaves no traces," Grossman says.
The deceit starts with the attacker setting up a Web site. When a victim tries to reach the site, the browser seeks a DNS resolution to turn the site name into an IP address. The site responds to DNS advertisements with the actual IP address of the site, but puts a very short time-to-live on the address. The victim reaches the site and the site downloads a malicious Java script to the victim's browser.
Once installed, the script issues a second request for the IP address of the attack site, and this time the site responds with an IP address of the type typically used for internal networks, so the browser essentially connects to a server on its own network, allowing a link to the attack server.
Browsers follow the principle of same-origin, which allows machines using the same host name to connect. In this case the browser has been told that the origin host name of the two servers -- the internal corporate machine and the attackers server outside -- is the same, so traffic between them is allowed.
Grossman cited Stanford University researchers who spend $100 on advertising to lure users into visiting their Web site configured to carry out DNS rebinding and managed to compromise 100,000 machines.
Since the exploit is carried out in Java script there is no malware executable to discover on victim machines. DNS servers are not compromised, so defenses against pharming don't work, he says. "DNS rebinding is really bad," Grossman says.