[dns-operations] Microsoft name servers hijacked?

Rod Rasmussen rod.rasmussen at internetidentity.com
Sun Oct 17 03:57:26 UTC 2010 

There is nothing (major) to see here, except a media outlet using a misleading/poorly written headline.

Microsoft themselves made a statement on this in response to Brian Kreb's article addressing the same IPs:

http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-krebsonsecurity-com/

Update, 7:34 p.m. ET: Christopher Budd, Microsoft’s response manager for trustworthy computing, sent this statement via email: “Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.”

Basically someone left a couple of test machines exposed that were on Microsoft IP space and the bad guys installed some nameservers on them and used them to support DNS for some pharma sites.  Happens a bazillion times around the net every day, but because it's Microsoft, it's fair game for an article (instead of outreach by Guilmette for instance, to get them fixed).  No compromise of actual Microsoft Nameservers, just someone compromising boxes and installing nameservers them.  Shame on whoever screwed up in Redmond, and I'm sure they're getting an earful, but, well...

Yawn.

Cheers,

Rod Rasmussen
President/CTO


-------------- next part --------------
A non-text attachment was scrubbed...
Name: IID_email.png
Type: image/png
Size: 8786 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20101016/4539d520/attachment.png>
-------------- next part --------------



E-mail: rod.rasmussen at internetidentity.com
24/7 Service Line: +1.253.590.4100 ext. 0 | 888.239.6932 ext. 0




On Oct 16, 2010, at 12:01 PM, Robert Edmonds wrote:

> Stephane Bortzmeyer wrote:
>> Does anyone have technical details?
>> 
>> http://cyberinsecure.com/microsoft-dns-hijacked-ip-addresses-are-used-to-push-farma-spam/
> 
> based on the IPs provided in the article, here is what i see in DNSDB:
> 
>    http://users.isc.org/~edmonds/microsoft_hijacks.txt
>    http://users.isc.org/~edmonds/microsoft_hijack_rrsets.txt
> 
> it goes back further than the september 22 date given in the article:
> 
>    ;; first seen in zone file: 2010-04-13 16:13:17 -0000
>    [...]
>    ;; first seen in zone file: 2010-10-15 16:10:04 -0000
> 
>    ;;  last seen in zone file: 2010-04-18 16:12:07 -0000
>    [...]
>    ;;  last seen in zone file: 2010-10-15 16:10:04 -0000
> 
>    (based on TLD zone file data)
> 
> and
> 
>    ;; first seen: 2010-06-24 03:30:01 -0000
>    [...]
>    ;; first seen: 2010-10-15 20:35:14 -0000
> 
>    ;;  last seen: 2010-06-25 07:29:18 -0000
>    [...]
>    ;;  last seen: 2010-10-16 17:08:10 -0000
> 
> 
>    (based on passive DNS data)
> 
> -- 
> Robert Edmonds
> edmonds at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list