Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Sunday August 23 2015, @11:05PM   Printer-friendly
from the so-glad-we-run-free-software dept.

Let's assume the information about the Windows 10 key logging is true.
Access to this key logger data is the holy grail in computer hacking.
A dream of every "commercial" hacker. This means you can fully automated generate Fullz each at the moment $35 USD worth.
45 mio. (of 1.5 billion, data from 11-Aug-2015, strong growing) Windows 10 systems at the moment.
The average DNS bit-flip error rate is 1 in 100,000 requests. See Bitsquatting: DNS Hijacking without exploitation

Here is one thought-provoking quote from that dinaburg.org article:

Some machines control considerably more traffic than others. While a bit-error in the memory of a PC or phone will only affect one user, a bit-error in a proxy, recursive DNS server, or a database cache may affect thousands of users. Bit-errors in web application caches, DNS resolvers, and a proxy server were all observed in my experiment. For instance, a bit error changing fbcdn.net to fbbdn.net led to more than a thousand Farmville players to make requests to my server.

P And this are only 1 bit-flips. As it turned out multiple bit flips are even more common than single bit-flips.
This means at least 450 wrong DNS requests from this 45 mio. Windows 10 users. Per domain.
3 domains (nsatc.net, footprintpredict.com, microsoft.com) Wrong requests every day: (A record TTL):
nsatc.net=3 h, footprintpredict.com=0.5 h, microsoft.com=2 h == (24/3*450)+(24/0.5*450)+(24/3*450)==30,600

Not all DNS Bitquatting domains have equal value. The order of bit flipping probability is 0,6,(1+2),8,(3+13),14,12,15,(4+5),(7+9+11),10
The bit in position #0 is 100 times more likely to be flipped than one in position #10
If someone like to exact calculate what are the most likely single and multi bit-flip bitquatting names are, here: Observations on checksum errors in DNS queries are all the data you need to do this.

What single bit-flip bitquatting names are free and which are taken ?
(the taken and connected ones are listed with the IP and country)
[Editor's note: I am just listing a few of the more concerning Microsoft bit-flips in interest of brevity. Please see original submission for the very large full list..]
oicrosoft.com,52.74.200.167,Singapore
iicrosoft.com
eicrosoft.com,103.31.75.164,Hong Kong
mkcrosoft.com,72.52.4.91,United States
mycrosoft.com,208.91.197.104,Virgin Islands
mibrosoft.com,209.15.13.134,United States
miarosoft.com,52.74.200.167,Singapore
mikrosoft.com,65.55.39.10,United States
misrosoft.com,103.224.182.217,Australia
micsosoft.com,65.55.39.10,United States
mic2osoft.com,52.74.200.167,Singapore
microqoft.com,65.55.39.10,United States
microwoft.com,54.174.31.254,United States
microcoft.com,185.53.177.9,Germany
micro3oft.com,23.21.201.35,United States
microsnft.com,184.187.12.126,United States
microsovt.com,208.91.197.104,Virgin Islands
microsofu.com microsofv.com microsofp.com

I'm totally surprised that not all of them are already taken.
Does Microsoft care ? Of course not.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Nerdfest on Monday August 24 2015, @01:32AM

    by Nerdfest (80) on Monday August 24 2015, @01:32AM (#226780)

    This is what's bothering me. If the packets can't be read, how do people know that they're gathering and batching all keystrokes. I'm sure the connections are at least through SSL. Can anybody provide details on this ... I was curious after the previous article as well.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Interesting) by tibman on Monday August 24 2015, @02:21AM

    by tibman (134) Subscriber Badge on Monday August 24 2015, @02:21AM (#226785)

    I looked a bit during the last article and there is some pre-talk before the ssl connection. After resolving the domain it looks like it receives cert details (unencrypted) before initiating a TLS 1.2 connection back to the motherland. I could speculate a man-in-the-middle scenario but it would be mostly bs i could never backup. I'm certainly open to hearing other people's speculation though! : )

    --
    SN won't survive on lurkers alone. Write comments.