Security Watch: Squatters Jumping Claims To Domain Names

By Larry Seltzer
7/24/2006 12:30:00 PM

The Watch

Can someone steal a domain away just because you checked to see if it was available? It's happening, as we describe in the Whois Hijacking section.

Security researchers are hot on XSS (cross-site scripting) attacks and their potential for compromising Web sites. See an example of one in the XSS section.

Microsoft's patches this month included one for a scary DHCP vulnerability. It just got a lot scarier, as exploit code was released. See why you should patch now in the DHCP Exploit section.

It's a small matter in the big scheme of things, but along with attacks on Israel proper, Israeli Web sites were also targeted this month. Read details of the attack and the lessons it teaches in the Team Evil vs. Israel section.

If you have a domain name, you have to keep the contact records up to date. Why? We tell you why in this week's Security Tip.

Last week's top threat, a zero-day vulnerability in PowerPoint, yielded a second targeted attack. Find out how serious it is in Security Alerts and Updates.

We used lots of domain name jargon in this week's Security Watch, like domain tasting and whois, and we define the terms in this week's Jargon Watch

Meanwhile, in other security news, Visa changed the security rules they impose on retailers who use their card services. Read this and more in the Security Watch Story Feed.

Whois Hijacking

Have you ever researched an Internet domain, waited a bit and then, when you go to buy it, it's gone? You may have been a victim of whois hijacking.

Through a mechanism not yet well understood, some domain squatters are able to get information on domain lookups, which are performed using a protocol named "whois". They use it to quickly—and automatically—register the domain. This practice is usually combined with domain tasting, so the domains may be available again before too long.

In the meantime, the squatters put up an ad page on the site. If it gets hits, they keep the site. They also usually put up a link through which you can buy the site from them (at a vastly higher price than if you had gotten it first).

What can you do? Until there is a good understanding of how the whois requests are intercepted, all you can do is to move quickly to register domains once you see they are free. It's likely that some domain-checking services are more secure than others, but there is no reliable way to tell which ones they are.

Cross-Site Scripting Attacks

Several security researchers have been focusing in the last few weeks on "Cross-Site Scripting" vulnerabilities in various Web sites. A Russian research site has just revealed one of many in the PayPal site.

Consider this link:

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/--%3E%3C/script%3E%3Cscript%3Etop.location='http://www.pcmag.com'%3C/script%3E

This is a link to the PayPal site, and a cursory examination of it, from left to right, will reveal it to be such.

But the link includes scripting instructions that redirect the page to a different site, in this case PCMag.com. This attack realizes more malicious potential when it is run in a frameset where the URL continues to display the paypal.com address but the window contains some other site's HTML.

Many security tools, including the Netcraft Toolbar, generically identify attacks such as these as cross-site scripting attacks. You can also identify many of them just by being more alert to URL contents and windows.

As the Internet Storm Center is reporting, an exploit is publicly available for the recently-revealed vulnerability in Microsoft Windows' DHCP client. We have seen the exploit as well.

This specific exploit has only been tested by the authors on Windows 2000 SP4, but the exploit is reported by Microsoft to affect Windows XP as well. It's reasonable to assume that the exploit may be adapted to Windows XP.

These attacks are exploitable in the real world, both on business networks and potentially on shared networks such as cable modem networks, where users on a common subnet use DHCP to gain addresses.

It is important for all users to apply this update as soon as possible.

Team Evil vs. Israel

In early July 2006, as hostilities flared up between Israel and Palestinians in the Gaza strip, an attack was initiated on servers belonging to Israeli and pro-Israeli organizations by a Moroccan hacking group named "Team Evil."

A forensic analysis by Beyond Security's beSIRT team succeeded in disrupting the servers and defacing some of them. The attack shows that best practices are often crucial in protecting critical resources.

The major opening for Team Evil was the fact that Internet-facing applications on the servers were not kept up to date with the most recent security patches. This gave the attackers publicly-known avenues for attack.

In some cases, applications that were compromised were run with excessive privileges, with the result that other parts of the system were vulnerable.

Security Tip: 4 Reasons Why You Should ALWAYS Update Your Domain Name's Contact Details

Thanks to Dave Zan's Domain Name Blog for this tip.

Too many people don't keep their domain contact information up to date. Whatever one's problems with the contact information rules—and there are major downsides to having to have contact information public, as ICANN mandates—the information serves an important purpose in keeping you in touch for important communications.

You might not get your renewal notices on time.—When your domain is expiring, your registrar will send renewal notices to the address on record for the domain. If you are not reachable at that address, either postal or e-mail, you won't get the notices. The domain will expire and someone else can get it.
You might not get your notices indicating a change has been made to your account.—Attempts to steal domains often involve false attempts to change the domain records. Many registrars will send notifications to the owner at the address in the records when attempts are made to change the domain records. If you see these promptly you may still be in a position to abort the change.
Your name might get deleted due to violating the WHOIS policy.—ICANN requires that domains have accurate records, and registrars typically require it as a term of their service as well. It's possible, if you don't have accurate records stored for your domain, that the registrar will lapse it due to a violation of their terms of service and ICANN rules.
The domain name might get hijacked.—If you lose control of an e-mail address it's possible for someone else to get it. They can then use that address to steal the domain, as they will be the one responding to notices from the registrar.

Security Alerts and Updates

A new attack has been identified based on last week's Top Threat, a zero-day vulnerability in PowerPoint.

The nature of the attack points to use as a pinpoint corporate espionage tool. A report by Symantec indicates that a Trojan named Trojan.Riler.F is installed by malicious code in a PowerPoint file as an LSP (Layered Service Provider), which is a special type of network driver that allows features to be added to the Winsock interface without replacing any existing files.

The attack creates these two files:

%System%\SNootern.dll
%System%\uidmngr.ini

It then installs SNootern.dll as an LSP and creates this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9Then it opens a back door on the system by connecting the soswxyz.8800.org and johnmy66.vicp.net on TCP port 7128. It then listens and awaits commands from a remote attacker.

This attack has been found only in very specific organizations, indicating that it is being used in a targeted attack and is not yet in the wild. But look for more of these to appear soon.

Jargon Watch

Whois is a TCP protocol, and usually also the name of programs that implement it, for querying the database of domain registrations, itself often referred to as the whois database. Whois the protocol operates on TCP port 43, and there are whois programs for the command line, for windowing environments, and for Web pages.

Domain Squatting refers to a business of buying domains and keeping them for two purposes: as an investment to resell at a higher price, and for advertising revenue through ad-syndication services, such as Google's AdSense.

Domain Tasting is a practice of some domain squatters whereby they register a domain, place an ad-based site on it, and evaluate traffic for several days. An ICANN rule allows them to recover fees if the domain is released within 120 hours (5 days), so they keep the ones that look promising and release the others.

Security Watch News Story Feed

Visa Changes Retail Security Rules
eWeek July 22, 2006

IBM to Sell Tivoli Data Protection Software Online
eWeek July 21, 2006

Cisco Patches Security Software Glitch
eWeek July 21, 2006

Judge Rejects U.S. Request on Eavesdropping Lawsuit
eWeek July 21, 2006

Spyware Fades to a Dull Roar, But Targeted Attacks Loom
eWeek July 20, 2006

Recent Editions:
• Security Watch: Suite Times For Security
• Security Watch: Time to Set the Kill Bit
• Security Watch: VML Bug Imperils IE Users
• Security Watch: Security Tips Galore
• Security Watch: Crimeware, SMiShing, and Cross-Platform Worms
• More