DNS forgery pharming attack information

Trusteer announced today that its CTO and security researcher Amit Klein has cracked BIND’s random number generator and demonstrated a new attack affecting most Internet users. In this “DNS Forgery Pharming” attack fraudsters can remotely force consumers to visit fraudulent websites without compromising any computer or network device.

About BIND’s Random Number Generator

To avoid DNS response forgery, an attack in which the fraudster sends a spoofed response with a bogus IP address to the requesting computer, BIND implements a standard DNS security mechanism, based on a randomly-generated number. This mechanism prevents fraudsters who do not control the route between the user and the DNS server from forging DNS responses and directing the user to the wrong server.

How BIND Random Number Generator Can be Breached

However, security researcher and Trusteer’s CTO, Amit Klein, has discovered a severe flaw in BIND’s implementation which allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. Using this vulnerability fraudsters can remotely forge DNS responses and direct users to fraudulent websites. The fraudulent website can steal the user’s sign-in credentials or tamper with the user’s communication with the website.

“This is a devastating attack,” said Klein, “by targeting a specific ISP’s DNS server the fraudster can easily direct all ISP users to a fraudulent website each time the user tries to access the real website. There is nothing the user can do to prevent the attack.”

A DNS manipulation attack is also known as Pharming and up until now the common belief was that fraudsters need to compromise either the user’s computer or the DNS server itself to launch the attack. This flaw enables launching a Pharming attack which works even if the user’s computer and the DNS server are highly secured.


Trusteer advises ISPs and Enterprises that manage a BIND 9 DNS server in a caching configuration to apply the latest patch released by the ISC. Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user’s computer or the DNS server but rather the cached data on the DNS server. Mutual authentication solutions, such as Trusteer’s Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack.

Don't miss