Monday, November 12, 2012

Why this domain?

I originally registered this domain back in 2011, shortly after this talk was released:
http://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html
"Bit-squatting: DNS Hijacking without exploitation"

It intrigued me and I attempted to duplicate the results of this experiment.  micrmsoft.com was one of several domains I registered.  I got some variants of paypal, mozilla, and facebook domains as well, but microsoft variants yielded the most misdirected requests.  My conclusion was ultimately that the author of the original talk was not full of BS, and traffic to microsoft was high enough that there will be some misdirected requests going to the domain.  The paypal, mozilla, and facebook domains did not perform nearly as well.

Here's a small example pcap from a day of traffic:
http://micrmsoft.com/smallsample.pcap

example request:

GET /pki/certs/MicrosoftWinIntPCA.crt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: www.micrmsoft.com
Connection: Keep-Alive


You can see that the vast majority of those requests are from crawlers, but occasionally you'll see a few Microsoft CryptoAPI requesting some certs.  I think this bit flip stuff is really only a concern for the top handful of domains in the world, but it was interesting to see a tiny slice of what Microsoft sees.

Could this be used for evil?  Perhaps this could be used to MITM some poor soul's failing hardware.  We only monitored passively and did not see any personal information.  After the misdirected requests for certificates were given 404 errors, the errant IPs did not come back again.

Edit: This was recently released, and the original author discusses much more in depth information on the subject: http://blog.dinaburg.org/2012/10/a-preview-of-bitsquatting-pcaps.html

No comments:

Post a Comment