Expert intercepted windows.com traffic using bitsquatting

Expert intercepted windows.com traffic

An independent expert known as Remy discovered that Microsoft domains were not protected against bitsquatting and intercepted windows.com traffic.

The expert conducted his experiments on the example of the windows.com domain, which can turn, for example, into windnws.com or windo7s.com in case of a bit flip.

The term Bitsquatting refers to a type of cybersquatting that suggests using different variations of legitimate domains (usually 1 bit different from the original).

The use of bitsquatted domains usually happens automatically when a DNS query is made from the computer on which the bits flipped occurred.

The foundation of this research is built on the fact that all information is essentially zeros and ones, and the same goes for domains. As you know, bits can turn over (0 turns into 1 or vice versa), responding to cosmic radiation, fluctuations in power, temperature, and so on. Moreover, in a 2010 study, it was already found that on a computer with 4 GB of RAM there is a 96% chance of bit flipping within three days.

Now, suppose the computer gets too hot, there is a solar flare, or a cosmic ray (a very real thing) flips the bits on the computer. Oh no! Now, whndows.com is stored in memory, not windows.com! What happens when it comes time to connect to this domain? The domain does not match the IP address. writes Remy.

As a result, Remy compiled a list of domains that can form due to inverted bits. He found 32 valid domain names, 14 of which were unregistered and were available for takeover.

Expert intercepted windows.com traffic

This is a bizarre case since usually, companies like Microsoft buy such domains to prevent phishers from using them. So I bought them. All. For about $ 126.says the researcher.

Domains purchased by Rami:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

Perhaps this problem may seem purely theoretical, but information security experts have repeatedly reported on the successful practical application of such attacks. For example, at Black Hat 2011, there was a talk titled “Bit-squatting DNS Hijacking without Exploitation”, in which the researcher talked about how he captured 31 variants for eight legitimate domains from several organizations. And on average, it counted 3434 daily DNS queries to those domains.

Now Remy has done the same for windows.com. In addition to traffic destined for windows.com, the researcher was able to intercept UDP traffic destined for time.windows.com and TCP traffic destined for various Microsoft services, including Windows Push Notification Services (WNS) and SkyDrive (formerly OneDrive).

It’s no surprise that the NTP service, which runs on every Windows machine in the world with a default configuration using time.windows.com, generates the most flipped bit traffic. But I still had a lot of other traffic.”Remy writes.

The researcher writes that the possibility of beatsquatting is a very worrying sign because, in this way, attackers can create many problems for the security of applications.

In addition to the traffic generated by the flipped bits, Remy found that many requests seemed to be coming from users who mis-entered domain names. However, it is not possible to understand exactly what percentage of requests originate from typos:

Unfortunately, due to beatsquatting, there is no way to verify that these are not spelling errors. The only information available for research is what is sent along with the request (for example, the referrer header and other headers).

The expert offers several ways to defend against bitsquatting attacks. For example, companies can register domains that can be used for bitsquatting. This is most often the case. For example, time.apple.com is protected from such attacks, unlike time.windows.com. Rami also mentions ECC memory, which can help protect computers and mobile devices from the bit flip problem.

Microsoft representatives told the media that they are “aware of social engineering techniques that can be used to direct customers to malicious sites” and advised users to “exercise caution when following links, opening unknown files, or accepting file transfers.”

Let me remind you that recently the expert told how he hacked into a nuclear power plant.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *