An independent expert known as Remy discovered that Microsoft domains were not protected against bitsquatting and intercepted windows.com traffic.
The expert conducted his experiments on the example of the windows.com domain, which can turn, for example, into windnws.com or windo7s.com in case of a bit flip.
The term Bitsquatting refers to a type of cybersquatting that suggests using different variations of legitimate domains (usually 1 bit different from the original).
The use of bitsquatted domains usually happens automatically when a DNS query is made from the computer on which the bits flipped occurred.
The foundation of this research is built on the fact that all information is essentially zeros and ones, and the same goes for domains. As you know, bits can turn over (0 turns into 1 or vice versa), responding to cosmic radiation, fluctuations in power, temperature, and so on. Moreover, in a 2010 study, it was already found that on a computer with 4 GB of RAM there is a 96% chance of bit flipping within three days.
As a result, Remy compiled a list of domains that can form due to inverted bits. He found 32 valid domain names, 14 of which were unregistered and were available for takeover.
Domains purchased by Rami:
- windnws.com
- windo7s.com
- windkws.com
- windmws.com
- winlows.com
- windgws.com
- wildows.com
- wintows.com
- wijdows.com
- wiodows.com
- wifdows.com
- whndows.com
- wkndows.com
- wmndows.com
Perhaps this problem may seem purely theoretical, but information security experts have repeatedly reported on the successful practical application of such attacks. For example, at Black Hat 2011, there was a talk titled “Bit-squatting DNS Hijacking without Exploitation”, in which the researcher talked about how he captured 31 variants for eight legitimate domains from several organizations. And on average, it counted 3434 daily DNS queries to those domains.
Now Remy has done the same for windows.com. In addition to traffic destined for windows.com, the researcher was able to intercept UDP traffic destined for time.windows.com and TCP traffic destined for various Microsoft services, including Windows Push Notification Services (WNS) and SkyDrive (formerly OneDrive).
The researcher writes that the possibility of beatsquatting is a very worrying sign because, in this way, attackers can create many problems for the security of applications.
In addition to the traffic generated by the flipped bits, Remy found that many requests seemed to be coming from users who mis-entered domain names. However, it is not possible to understand exactly what percentage of requests originate from typos:
The expert offers several ways to defend against bitsquatting attacks. For example, companies can register domains that can be used for bitsquatting. This is most often the case. For example, time.apple.com is protected from such attacks, unlike time.windows.com. Rami also mentions ECC memory, which can help protect computers and mobile devices from the bit flip problem.
Microsoft representatives told the media that they are “aware of social engineering techniques that can be used to direct customers to malicious sites” and advised users to “exercise caution when following links, opening unknown files, or accepting file transfers.”
Let me remind you that recently the expert told how he hacked into a nuclear power plant.