SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Additional DNSSEC Training with PowerDNS on May 7 and 8

We announced 3 one day DNS trainings in the end of February and all three trainings where fully booked within 24 hours. We are happy to see so much demand for DNSSEC in Switzerland.
We managed to add two more dates for the DNSSEC training together with PowerDNS
The training will be given at the following dates in Zurich:

7.5. Zurich, SWITCH
8.5. Zurich, SWITCH

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• CDS
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

https://www.eventbrite.com/e/dnssec-training-zurich-may-7-tickets-44474772241
https://www.eventbrite.com/e/dnssec-training-zurich-may-8-tickets-44474795310


5 Comments

DNSSEC training with PowerDNS in Switzerland

SWITCH is organising a one day DNSSEC training together with PowerDNS

The training will be given at the following dates:

9.4. Zurich, SWITCH
10.4. Bern, Uni
11.4. Carouge HESGE

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

Zurich: https://www.eventbrite.com/e/dnssec-training-zurich-tickets-43350331007
Bern: https://www.eventbrite.com/e/dnssec-training-bern-tickets-43592055010
Carouge: https://www.eventbrite.com/e/dnssec-training-carouge-tickets-43592840359

Update 28.2.2018: All three trainings are fully booked after only 24 hours. We are happy to see so much interest in DNSSEC in Switzerland. Waitlist is now open.


16 Comments

94 .ch & .li domain names hijacked and used for drive-by

A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain.

The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the only domain that had unauthorized changes. We identified 93 additional .ch and .li domain names that pointed to the two rogue name servers. While domain hijacking by pointing to a rogue NS is a known attack,  94 domains on a single day is very unusual. So we analyzed what the hijacked domains were used for and soon found out that they are used to infect internet users with malware.

Visitors to the hijacked domains were redirected to the Keitaro TDS (traffic distribution system):

hXXp://46.183.219[.]227/VWcjj6

A TDS decides where to redirect the visitor to, often depending on its IP address (i.e. country),
user agent and operating system.

A dead end may look like the following:

hXXp//46.183.219[.]227/favicon.ico
hXXp://46.183.219[.]227/www.bingo.com

And the visitor will be redirected to Google.

However, in some cases, the visitor is redirected to the Rig Exploit Kit:

hXXp://188.225.87[.]223/?doctor&news=...&;money=...&cars=236&medicine=3848
hXXp://188.225.87[.]223/?health&news=...
...

And the visitor gets infected.

The payload is Neutrino Bot:

MD5: a32f3d0a71a16a461ad94c5bee695988
SHA256: 492081097c78d784be3996d3b823a660f52e0632410ffb2a2a225bd1ec60973d).

It gets in touch with its command and control server and grabs additional modules:

hXXp://poer23[.]tk/tasks.php
hXXp://poer23[.]tk/modules/nn_grabber_x32.dll
hXXp://poer23[.]tk/modules/nn_grabber_x64.dll

A little later, it also gets an update

hXXp//www.araop[.]tk/test.exe

MD5: 7c2864ce7aa0fff3f53fa191c2e63b59
SHA256: c1d60c9fff65bbd0e3156a249ad91873f1719986945f50759b3479a258969b38)

Status

The rogue NS were inserted in the .ch zone file at around 13:00 today. The registrar discovered soon what happened and rolled back the unauthorized changes. At 16:00 all of the changes in the .ch & .li zone were reverted and the NS records pointed to the legitimate name servers again.

[Update 10.7.17 17:15]

Gandi the registrar of the 94 domain names has written a blog post, as well as SCRT the domain holder that initially informed us about the domain name hijacking of scrt.ch. SCRT also showed how Strict Transport Security protected their recurring visitors from being redirected to the bogus website!


1 Comment

DNSSEC Signing for .ch and .li on the Rise

The share of DNSSEC signed domain names in .ch and .li reached 1% for the first time in June 2017. While this is still a very low number compared to other ccTLDs, the number of DNSSEC signed domain names is increasing at a high rate for the last two quarters.

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a set of technologies that secures the origin authentication and data integrity of the Domain Name System. It allows to detect DNS records that have been modified on the way from the authoritative name server to the client using a domain name. This helps to protect Internet users from going to bogus websites.

In addition from protecting Internet users from cybercriminals and state sponsored actors, DNSSEC is the base for important standards such as DNS-based Authentication of Named Entities (DANE).

DNSSEC in .ch and .li

DNSSEC was enabled for the .ch and .li zones in 2010 but unfortunately received a slow adaptation by domain holders. From 2013 there was a slow but steady growth of domain names signed with DNSSEC. In November 2016 we noticed a increased rate of DNSSEC signed domain names that accelerated in April 2017.

From now on SWITCH will publish statistics about the number of signed domain names for both ccTLDs .ch and .li on the nic.ch and nic.li website.

DNSSEC Signed Domain Names in .ch   DNSSEC Signed Domain Names in .li
Continue reading


6 Comments

Usage of .ch domain names for spamming malware Tofsee stopped

It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Continue reading


Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading


Drive-by code and Phishing on Swiss websites in 2014

In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.

Drive-by code on Swiss websites in 2014

Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.

malware2015_E

Compromised .ch and .li websites used for drive-by infections by quarter

Continue reading