You could be flushed into a con

MUMBAI: Crooks are exploiting vulnerabilities in the DNS (domain name system) servers of internet service providers (ISPs) to redirect traffic to malicious sites that trick users into sharing crucial details like bank account numbers and passwords. The problem has become especially acute in India, where ISPs have not implemented the security updates that are issued from time to time to fix the problem.

DNS is the system by which human-friendly internet addresses (www.dnaindia.com, for instance) are translated into the numeric IP (internet protocol) addresses associated with networking equipment (like 12.112.111.111) so that your browser can display the site you want.

The DNS bug was discovered last February by Dan Kaminsky, a Net security expert. What it does is simple: when you type the web address of your e-banking site, for instance, you may be redirected to a fraudulent website that leads you to divulge your password (see box).

In the past four months, variants of the vulnerability, termed the ‘Kaminsky bug’, have emerged. Last week, the computer emergency response team (Cert) in the Union IT ministry issued a warning about Flush.M, one such variant. “It has been reported that variants of ‘DNS changer’ malware that use “unauthorised DHCP server” attack to change the DNS configuration of systems in the same local network are in the wild,” Cert said. 

“This Trojan may be dropped by other malware or may be downloaded unknowingly by a user when visiting malicious websites,” the warning said.

The Flush.M variant not only redirects you to a fraudulent site, but it also uses your computer to redirect other users when your computer is in a local area network.
Gulshan Rai, head of Cert, told DNA: “ISPs in India do not implement patches to bugs in time, leading to problems for the general user. The vulnerability that has been reported affects ISPs and general users as well.”

A spokesperson for Airtel, one of India’s largest ISPs, said: “At Airtel, we proactively track new risks that emerge so that our customers are not affected adversely. We became aware of this vulnerability at an early stage and initiated necessary action to strengthen our DNS servers. The DNS servers of the regional internet resolution site hosted in Airtel, which resolves the .com and .net TLDs (top-level domain names) for all users in India and South Asia, were also patched proactively on time to avoid damage.”

A spokesman for Reliance Communication said the company had patched up its DNS servers a few months ago when the problem was first discovered. But customers dispute these claims.

“India should have a compliance law where ISPs are bound to implement security patches within 24 hours,” said Samir Kelekar, an Airtel broadband customer who runs Tekno Trends, a security consultancy in Bangalore. “This bug has been big news in security circles since July, yet there is no compliance in India.”

Kelekar said his ISP had been unable to fix the patch. “The problem persists,” he said after subjecting his computer to simple tests that are available online to check for DNS server vulnerability.

Sarbajit Roy, RTI activist and cyber security expert in Delhi, told DNA that his ISP, too, had not been able to debug its servers. “The problem is an old one and variants are coming up every now and then,” he said. “I have taken the matter up with my ISP, but it has not been able to give me a satisfactory answer.”

A number of ISPs told DNA the problem was being looked into. “I have been told by our technical team that there is some problem with the DNS servers and they are looking into it,” said Sanjay Jha, CEO, Ortell Communications, an ISP in Orissa.

An ISP based in Bangalore, Karuturi Networks, said there had been reports of DNS poisoning over the past three months, but none of its customers had been affected. “Our technical team is monitoring our systems and there has been no complaint from any customer,” Manoj Kumar Agarwal, CEO, Karturi Networks, said.

Rajesh Chharia, president, ISP Association of India, however, said, “I have not got any reports from ISPs about such a bug.”