Software Engineering Institute | Carnegie Mellon University

SEI Insights

CERT/CC Blog

Vulnerability Insights

Cache Poisoning of Mail Handling Domains Revisited

Posted on by in

In 2014 we investigated cache poisoning and found some in some damaging places, like mail-handling domains. It can't be assumed behaviors on the internet continue unchanged, so I wanted to repeat the measurement. I used our same passive DNS data source and the same method, but now four years later, to investigate this question.

In summary, cache poisoning still appears to occur at about the same rate. As before, our method does not provide direct evidence of the mechanism; we only observe responses to queries from recursive resolvers. However, exactly what domains are targeted might give us some information about the underlying cause if it is correlated with domains or IPs in other reporting. In that regard, the focus seems to have shifted away from mail-handling domains.

Of the original 302 IP addresses that were found to be returning incorrect results, 112 are still doing so. In addition, I found 247 IP addresses that are also giving incorrect results, giving a total of 359 IP addresses. You can download that list here mxlist-ips.txt

In examining the results, I also found traces of a browser hijacker called fwdservice.com. Browser hijackers are an insidious malware that insinuate themselves into your browser to redirect search results, serve ads, spy on your actions, or other unwanted actions.

Fwdservice.com redirects search results to its own site and has been around since at least 2012. The site also been associated with phishing and malware, just to add to its poor behavior. The browser hijacker pretends to be a useful search engine but contains many more ads and poor results specified by the sponsor of the ads. It's also more than a simple single browser hijacker, it will affect every browser you have on your system.

It works by using a DNS redirect so that no matter where you think you're going, you're actually going to the fwdservice.com. This means that your queries are no longer going to the nameserver you specified, but one that the malware prefers. While I was looking for the A record poisoning, I found 317 IP addresses that were redirecting results of domains to the fwdservice.com IP address, in other words, IP addresses that were being used by the malware to redirect your search results. You can download that list here fwdservice-ips.txt.

Due to the nature of passive DNS, this is a subset of the possible IP addresses used by fwdservice.com. Unfortunately, this means there are more out there. But by blocking these IPs addresses, we can start to interfere with the browser hijacker. We should also continue to look for these DNS redirectors, they're insidious and easy to miss.

About the Author

Leigh Metcalf

Contact Leigh Metcalf
Visit the SEI Digital Library for other publications by Leigh
View other blog posts by Leigh Metcalf