[ISN] Effects of Domain Hijacking Can Linger

InfoSec News isn at c4i.org
Thu Feb 9 01:41:41 EST 2006


By Paul F. Roberts 
February 8, 2006 

Malicious hackers who are able to hijack an organization's Web domain
may be able to steal traffic from the legitimate Web site long after
the domain has been restored to its owner, according to a recent

Design flaws in the way Web browsers and proxy servers store data
about Web sites allow malicious hackers to continue directing Web
surfers to malicious Web pages for days or even months after the
initial domain hijacking.

The persistent attack could lead to information or identity theft,
according to Amit Klein, a Web application security researcher with
the Web Application Security Consortium.

The problem, which Klein termed "domain contamination" exists because
of features in Web proxy servers, which store versions of Web pages,
and Web "clients," or browsers, including Microsoft's Internet
Explorer, the Mozilla Foundation's Firefox and the Opera browser.

Proxy servers and browsers both establish trust relationships with Web
servers that are identified as the authoritative host for a Web page
in the DNS (domain name system), Klein said.

"Once a client believes it is communicating with the legitimate server
for some domain, there's an implicit trust that's placed in that
server that is not revoked," Klein told eWEEK.

For example, Web browsers store information on the Web server in Web
cookies and cached Web pages that are stored locally. Once that
information is downloaded and stored on the client, it can be very
difficult to get rid of them, Klein said.

"There's just no way to sterilize the view or reflection of a Web site
on the Internet," he said.

Domain hijacking is a recurrent problem on the Internet that
occasionally gets mainstream attention, such as when aljazeera.net,
the Web domain for Arab satellite television network, was hijacked in
March, 2003.

More recently, unknown hackers carried out a massive DNS poisoning
attack on DNS servers worldwide in March, 2005.

That attack used a known vulnerability in a Symantec firewall as well
as known weaknesses in Windows NT and Windows 2000 machines to change
the DNS record for Web sites.

The attack caused unknown numbers of Web surfers to be directed to
malicious Web sites that installed spyware and other malicious
programs, according to the SANS Institute's Internet Storm Center.

In those attacks, and others, domain hosting companies and Internet
infrastructure providers moved quickly to restore control of the Web
domain to its proper owner and reset DNS servers that have been
compromised, ending the attack.

However, attackers can modify HTTP headers or HTML content on their
attack Web site to ensure that it is stored locally for months or even
years, Klein said.

Internet users who were caught up in the attack will retain that
cached copy of the attacker's site in their browser. The cached page
may be the first loaded when the victim attempts to visit that Web

A sophisticated attacker who embedded scripts in the malicious page
could continue to steal information from the victim long after the

For example, a script could harvest information from cookies used by
the Web site, or load the actual Web page inside a frame in the cached
page to conduct an attack that captures the interactions of the user
on the page, Klein wrote.

Also, proxy Web servers that store cached content can, in certain
circumstances, revalidate that content, prolonging the life of
hijacked Web pages, Klein wrote.

The problem with domain contamination is caused by a major design flaw
in the way Web domains are managed, Klein told eWEEK.

"Web browsers don't have any information about domain ownership or any
 From the browser's perspective, the google.com now and
google.com of five years ago are the same domain with the same
privileges," Klein said.

"If they assigned a cookie five years ago, unless it expires
naturally, there's no way to verify that the same owner is behind it."

Individuals who have the poisoned domain information can get rid of it
simply by deleting affected browser cookies or clearing out their Web
page cache—standard features on almost every Web browser.

However, organizations or individuals who have had their Web domain
hijacked don't know which of their visitors went to the hijacked site
and, thus, have little recourse to rectify the domain poisoning.

"The best response is not to get hijacked to begin with," said
Johannes Ullrich, CTO at the SANS ISC. "Once it's happened, there's
little that you can do about it."

Using SSL (Secure Sockets Layer) to access a Web site can prevent DNS
hijacking and Web cache poisoning, and changing your Web server
responses to requests from proxy servers can keep them from holding
onto poisoned cached content, Klein wrote.

More information about the ISN mailing list