Late last month, a hacker calling himself Fluffy Bunny attacked a Domain Name System server belonging to McDonald's fast food restaurants in England and redirected traffic to a dummy site in the U.S.

Visitors found the familiar golden arches, but not much else looked the same. The company name had been changed to McDick's, and, along with some suspect menu choices, the hacker had posted a repetitive description of his bunny character, including "The Fluffy Bunny likes to make babiez," and "The Fluffy Bunny is not wearing any pantiez."

The same day, a group called BL4F Crew hacked 10 Nintendo sites in Europe, exploiting the same vulnerabilities the McDonald's hacker had - holes that had been publicly identified for Internetwide upgrades 28 days earlier.

In one sense, the Feb. 26 hacks were in fun. Fluffy Bunny stopped short of X-rated comments and no credit-card numbers were stolen or business data damaged on any of the sites. But they illustrate how escalating problems with the so-called BIND open source code represent the single most common threat to businesses that are increasingly depending on Internet-based technologies to sell their products or communicate with their customers.

One of the weakest links on the self-governed Internet, the Berkeley Internet Name Domain (BIND) is the software that drives nearly 90 percent of all domain name servers on the Internet. BIND is used by DNS servers to resolve domain names, such as dinosaur.com, into numeric Internet Protocol (IP) addresses. Each Web site has a DNS server somewhere in front of it, though one DNS server may handle the addressing for many Web sites. Sixteen root DNS servers underlie all Internet operations, with roughly 500,000 DNS servers working on top of them. Of those running BIND, about 80 percent to 90 percent use versions that leave them vulnerable to exploits, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

The problem is not just the code, but also the system - or lack thereof - for making sure that upgrades are made after new holes are identified and publicised to everyone, including hackers.

That issue is compounded by a number of other factors, including the increasingly widespread availability of tools to exploit those holes, a lack of understanding by companies about when and how they are vulnerable and widespread resistance to any kind of user registration or notification system that might seem to violate the laissez-faire tradition of the Internet and its unregulated service providers.

The result? Perhaps the BL4F Crew summed it up best in a posting to the Nintendo sites: "Security is a complete myth on the Internet. It's frustrating. That's what it is."

The problem is much more than frustrating, though. It is also hazardous to the health of electronic commerce and business-to-business information sharing. While commercial variations of BIND software exist, an estimated 85 percent to 90 percent of all Web sites' servers run BIND. And the poor state of BIND leaves many of them available for use as zombies, puppets or victims of denial-of-service attacks like those that have taken down such Web giants as eBay, Microsoft and Yahoo!

"For such a critical piece of the infrastructure, BIND has had a lot of holes," said Brian Dunphy, director of analysis at Riptech, a managed security provider for dot-coms and corporate clients.

Carnegie Mellon's CERT has publicly identified 12 such holes in the 4.x and 8.x versions of BIND, now used on most DNS servers. The McDonald's and Nintendo hacks took advantage of the latest four, published by CERT on Jan. 29.

With each new alert comes a fix. The challenge is in making sure the software running on each DNS server is patched.

Although BIND distributors are notified of problems before CERT alerts are made public, there is no way to know if every company running a BIND DNS server is eventually made aware of the problem targeted by an alert. And many of those who are aware may choose not to upgrade, for fear it will result in costly downtime for their Web sites or networks.

With no central Internet authority to turn to, advocates of an open, unregulated Internet are at a loss to explain how the BIND exposures will ever get cleared up.

One of the few proposals to change the shaky state of BIND comes from Paul Vixie, chairman of the organisation that oversees the maintenance and development of BIND, the Internet Software Consortium (ISC). Internet service providers (ISPs) could do more, polling their customers' DNS servers to see if they've been updated, he said in an email exchange with Interactive Week.

So far, Interactive Week has found few ISP representatives eager to take Vixie up on the suggestion. ISPs are traditionally loath to take on any appearance of responsibility for their customers' equipment or content. Polling the DNS servers on their networks, ISPs said, could be viewed as a violation of their customers' privacy. And ISPs have little incentive to do such polling unless it is part of a paid service.

The ISC itself also declined to do polling or to generate a database of BIND users who might be automatically notified of updates. Asking people who download the BIND software to register or identify themselves "would be a privacy violation" unless users voluntarily opted to be registered in it, Vixie said.

Threats on the rise

Unfortunately, hackers have no such compunctions and have access to all the latest tools for polling DNS servers for vulnerabilities. And the exposures created by BIND are well-known - and growing. It used to be that an organisation's defenses were infrequently probed by outsiders, but that is no longer the case, said Keith Lowry, vice president of security operations at Pilot Network Services, which provides security as an outsourced service. "If you do not patch these kinds of holes, you're going to get hit," he said.

Pilot tallied a significant jump in the rate of DNS vulnerability scans - a form of reconnaissance by hackers - after the four new vulnerabilities were aired at the end of January, Lowry said. Pilot counted 35 DNS probes of its 300 clients in the first 12 days of February, compared with only 19 in January. On a month-to-month basis, that represents a 480 percent increase, he said. Others have seen similar increases in malicious activity.

"We are receiving reports of two to three times the previous number of probes" of BIND, accomplished by querying port 53 on DNS servers, said CERT technical staffer Jeff Havrilla.

Adding to the problem is the increasing availability of programs that automatically scan networks and query DNS servers. "It's the equivalent of jiggling your doorknob to see if it's locked," said Scott Blake, security program manager at BindView, a provider of security assessments of BIND and other points of exposure. With the automated scans, snoopers can determine which version of BIND a DNS server is running. If it is one with exposures, they also have ready-made burglar tools.

"The tools to exploit these vulnerabilities are being automated in a way not seen before," Havrilla warned. The tools are posted to malicious hacker, or "cracker," sites, and few technical skills are needed to use them to compromise a server. Unless it is specifically configured otherwise, BIND automatically responds with its version number when it receives a "Who Is" query from any source. If it is any version prior to 8.2.3, then it most likely contains one of 12 holes already designated by CERT as hazardous.

"When vulnerabilities are first announced, a hacker can compromise a thousand servers very quickly," Riptech's Dunphy said.

Once compromised, the DNS server and others can be used to launch a distributed denial-of-service attack or other disruptions.

As Fluffy Bunny demonstrated, legitimate traffic can also be diverted to a dummy site. A clever hack may one day ask diverted customers to submit their user names and passwords at a look-alike site that has convinced visitors it's where they intended to go, security experts warned.

In addition, a single DNS server at an ISP or colocation site often handles several companies' traffic and Web sites. By sniffing that traffic, a practice that deciphers network packets but leaves no trace of the intruder, an interloper can gain user IDs and passwords, the names of key files and the servers on which they're located and other supposedly private information.

"If you get into one server, you can get into two," often with system administrator privileges, which opens the door into the enterprise network, said Steve Hotz, chief technology officer at UltraDNS, a managed DNS service provider, who also worked on the mechanisms of DNS that were later adapted to BIND. It used to be that one organisation could practice good, buttoned-down security and protect itself, remarked Peter Trahon, supervisor of the nine agents who make up the computer intrusion squad at the Federal Bureau of Investigation's San Francisco division. "Now your neighbor has to practice good security too," he said

Small business at risk

That means the dns servers of small businesses are especially at risk. one of the few legitimate organisations running periodic BIND queries is Men & Mice, a Reykjavik, Iceland, DNS management software company that publishes the International Domain Health Survey. One day after the Jan. 29 CERT alert, it took a snapshot that showed one-third of the Fortune 1000 had at least one faulty version of BIND on a DNS server, said Petur Petursson, chief executive of Men & Mice. Three weeks later, that figure had dropped to one-eighth of the Fortune 1000, he said, indicating a rapid upgrade at large companies on the heels of the CERT announcement.

Petursson, however, said he doubts small businesses and nonprofits upgraded their sites as quickly.

At many smaller organisations, DNS servers were set up by outside consultants or by an information technology (IT) staffer who eventually departed for another job, Dunphy said. Once set up, DNS servers tend to run themselves without further assistance and eventually become "a dust-covered server in a closet that nobody knows about," he said.

It's possible for an administrator of a Web site to read news of a CERT BIND alert and say, "Thank goodness we don't have any of those on our network," when, in fact, he or she does, Dunphy said.

When asked why more system administrators don't upgrade BIND on their DNS servers, ISC's Vixie said it is purely their option to do so. The ISC does not monitor BIND users or notify them of changes. Registering BIND users is contrary to the concept of freely available software as open source code, he added. The only requirement asked of a downloader is "to use it in good health," he said. Vixie said BIND users may sign up for a newsletter that fills them in on patches and when upgrades are available, but fewer than 500 have done so. He estimated there are at least 30,000 administrators of DNS servers who would need to be notified.

Creating a central registry is more difficult than it sounds, since not all copies of BIND are distributed through the ISC site. BIND is included in each of the major versions of Unix, such as IBM's AIX, Hewlett-Packard's HP-UX and Sun Microsystems' Solaris, as well as in the products of some firewall makers, like Secure Computing's Sidewinder. Their BIND versions are updated conscientiously but may still lag discovery of new holes by two to three months, Dunphy said.

And once a hole is identified, it is extremely difficult for operating system or firewall users to apply patches or implement upgraded versions of BIND on their own. Users would not generally upgrade BIND as a separate component unless the vendor of their operating system or firewall software sent a patch. And even upgrading the DNS server with a patch requires extensive testing to make sure the patch doesn't disrupt something else, he added.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.