Sunday, January 6, 2008

Part 2: DNS Poisoning

MyFamily.com's Browser Hijacker

Click to enlarge on Featurepics
"Business Hack," © fluca

The Ancestry Insider suffers from a problem that has affected many: his browser is sometimes hijacked to MyFamily.com. Frustrated to his fill, he finally fixated on finding and fixing this problem.

In part 1, An Unholy Alliance, the Insider investigated his first suspect: TGN's former use of Gator.

What could possibly cause hijacking of multiple browser versions, multiple browsers on both Macs and PCs and not show up in malware scans?!?

Part 2: DNS Poisoning

Computers like numbers. People, on the other hand, don't. Every website on the Internet has a name for people to use and a numeric address for computers to use. The names are called domain names. Some examples are www.ancestry.com and www.familysearch.org. The numeric addresses are called IP addresses. Some examples are [66.43.22.49] and [204.9.225.200], respectively.

Domain name IP Address
www.ancestry.com 66.43.22.49
www.familysearch.org 204.9.225.200

Example showing domain name translations

The domain name system (DNS) in your computer asks a DNS server (at your Internet Service Provider) to translate domain names into IP addresses. To speed up the translation, once a domain name has been translated to an IP address, the pair are saved or cached.

Click to enlarge on Featurepics
© fluca

A DNS cache entry is poisoned if the wrong IP address is saved for a domain name. For example, the IP address for www.myfamily.com is [66.43.25.130]. If a domain name such as xyz.familysearch.org is placed into the cache with the wrong IP address, then the cache has been poisoned.

Domain name IP Address
www.ancestry.com 66.43.22.49
www.familysearch.org 204.9.225.200
xyz.familysearch.org 66.43.25.130
www.myfamily.com 66.43.25.130

Example of a poisoned DNS cache

Ditto's Investigation

Michael Ditto was a senior software engineer with Sun Microsystems nearly 3 years ago when his Linux system started acting weird.

Several people have observed a problem on their networks where various web sites, apparently at random, would be replaced by www.myfamily.com. The problem comes and goes without obvious cause, and affects different web sites at different times. I started encountering this problem a few days ago. I clicked on a link to, say, www.imdb.com, and found myself looking at the home page for www.myfamily.com.

Ditto investigated the situation and wrote an article with his findings. It is titled The myfamily.com DNS poisoning problem.

He found that the mfns*.myfamily.net name servers incorrectly claim the authority to translate any .com domain name. And when asked to do so, they always return the address of MyFamily.com. In Ditto's words,

So, the reason that the problem appeared suddenly one day is that a piece of spam caused my name server to contact the misconfigured myfamily.com name server and thereby become poisoned. Once poisoned, the name server will behave improperly until it is restarted or the cache flushed somehow.

DNS poisoning would explain how the problem could affect all browsers and browser versions, both on Macs and PCs. It would explain why scanners could never detect any malware on my notebook. It seemed I had finally solved my mystery. Now, how do I solve the problem on my laptop?

MyFamily Should Fix the Problem

"Of course the administrator of the myfamily.com domain should fix their DNS and/or server configuration," said Ditto... three years ago.

The Measurement Factory does periodic surveys that look for DNS cache poisoners. Their September 2007 survey found the MyFamily name servers are still poisoning caches for .com, .net and .org domains and gave them an "evilness" rating of 2.0.

Not all current operating systems can be fooled by the errant MyFamily name servers. The Measurement Factory notes that Windows NT 2000 is vulnerable to poisoning while Windows 2003 is not, unless the administrator unchecks the "prevent cache poisoning" option. But even if your computer is immune, you can still be affected by this problem if a cache "upstream" from you gets poisoned.

Following the notes in Ditto's article, I verified that the MyFamily name servers have not been fixed. Mysteriously and unexpectedly, I also found that my laptop, running Windows XP, was unaffected by the MyFamily name servers' erroneous authority claims.

Now that I thought about it, my symptoms were different from those described by Ditto. Instead of the random hijacking of existing websites, I suffer from consistent redirection of nonexistent websites.

What then, is causing my browser hijacking?!?

Next time: A Virtual Private Hijacking.

2 comments:

  1. Thanks for the interesting info. I like these articles. You have the ability to explain in layman's terms the world of computer tech. Keep it up.

    ReplyDelete