The looming threat of pharming

Security experts call it the soft underbelly of the Internet, and hackers, having drawn first blood, are ripping at it with new enthusiasm.

The vulnerable spot is DNS software -- typically the widely used BIND (Berkeley Internet Name Domain) -- and the hack is called pharming. Pharming is more insidious than the better-known phishing scam because a pharm redirects a user’s request for a legitimate URL to a phony Web site. Whereas phishing requires the user’s complicity in responding to a bogus e-mail, a user can be pharmed without doing anything out of the ordinary.

Pharming is possible because all URL’s have to be translated into IP addresses, which is the job of the DNS. A hacker who poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user’s Web interaction, usually for nefarious purposes.

It doesn’t take long. A typical pharm would redirect your request for your bank’s Web site and send it to a phony site. These sites tend to look quite legitimate, as anyone who has clicked on a phish link knows -- after all, it’s simple enough for hackers to suck down all the graphics from a popular Web site where money changes hands and build a home page that looks almost exactly like the real thing.

When the victim arrives at the sham site, he or she enters an ID, password, and PIN in the usual manner. A pop up then explains that the password is invalid. Victims think they have miskeyed and start over. By that time the hapless user has been shunted back to the real Web site, but the hackers have what they want: access to your account.

Plowing vulnerabilities

A series of high-profile pharms in March and April raised alarms across the Internet. Johannes Ullrich, an analyst at the SANS Institute, says the first of these involved a firewall/DNS server from Symantec, which attached extra IP addresses, sometimes called “glue records,” to legitimate requests.

“It is typical for a DNS server to send back additional information,” Ullrich explains, “especially if the request is for a very popular site like Google. There may be as many as a dozen legitimate Google servers with different IP addresses, and so the server may return some of the alternate addresses. In this case the server returned bogus addresses for [Symantec’s] entire dot-com domain.”

Bad glue records generally reside in a DNS server’s cache memory; hacking into the cache and adding those records is called DNS “cache poisoning.” According to both Ullrich and a Symantec representative, Symantec fixed the problem promptly. “We released a patch in March to stop the addition of glue records to DNS requests,” says Oliver Friedrichs, senior manager of security response at Symantec.

Microsoft was hit by a similar attack in April. An in-house Microsoft DNS server forwarded requests that it could not resolve to a hacked DNS server outside the firewall at an ISP. This forwarding arrangement is typical, SANS Institute’s Ullrich says. “If the ISP is running an older version of BIND [pre-Version 9], it can also return malicious IP addresses,” he explains. Older BIND software can’t filter for glue records, such as bogus .com IP addresses -- and Windows DNS can’t do it either. “Microsoft still says the external DNS servers should do the filtering,” Ullrich says.