Bitflips when PCs try to access windows.com: What could possibly go wrong?


Bitflips are events that cause individual bits stored in an electronic device to change, turning a 0 into a 1 or vice versa. Cosmic radiation and power or temperature fluctuations are the most common natural causes. Research from 2010 estimated that a computer with 4GB of basic RAM has a 96 percent chance of experiencing a bitflip in three days.

An independent researcher recently demonstrated how bitflips can again bite Windows users when their PCs access Microsoft’s windows.com domain. Windows devices do this regularly to perform actions such as making sure the time shown on the computer’s clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be mentioned, mapped the 32 valid domain names that were within a bitflip of windows.com. He provided the following to help readers understand how these changes can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w I North D or w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h North D or w s

Of the inverted 32-bit values ​​that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies typically purchase such unique domains to protect customers against phishing attacks. He bought them for $ 126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses trying to communicate with ntp.windows.com. By default, Windows machines will connect to this domain once a week to verify that the time displayed on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for the Windows operating system does not have an inherent authenticity check, so there is nothing to stop a malicious person from telling all these computers that it is after 03:14:07 on Tuesday, January 19. of 2038 and wreak unknown havoc as a 32-bit signed integer for time overflows, ”he wrote in a post summarizing his findings. “However, it turns out that for about 30% of these computers that do that, it wouldn’t make any difference to those users because their watch is already on. broken. “

The researcher observed machines attempting to establish connections to other subdomains of windows.com, including sg2p.wswindows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows.com/? fbclid.

Remy said that not all domain mismatches were the result of bitflips. In some cases, they were caused by typos from people behind the keyboard, and in at least one case the keyboard was on an Android device as it was trying to diagnose a blue screen crash of death that had occurred in Windows. machine.

To capture the traffic devices sent to the mismatched domains, Remy rented a virtual private server and created wildcard domain search entries to flag them. Wildcard registrations allow traffic destined for different subdomains of the same domain (for example, ntp.whndows.com, abs.xyz.whndows.com, or client.wns.whndows.com) to be mapped to the same IP address.

“Due to the nature of this research related to bit reversal, this allows me to capture any DNS lookup for a subdomain of windows.com where multiple bits have been reversed.”

Remy said he is willing to transfer the 14 domains to a “verifiable responsible party” and in the meantime he will simply sink them, meaning he will preserve the addresses and configure the DNS records to be unreachable.

“Hopefully this leads to more research.”

I asked Microsoft representatives if they were aware of the findings and the offer to transfer the domains. Representatives are working to get a response. However, readers should remember that the threats the research identifies are not limited to Windows.

In a 2019 presentation at the Kaspersky Security Analyst Summit, for example, researchers at security firm Bishop Fox got some eye-opening results after recording hundreds of bitflipped variations from skype.com, symantec.com, and other sites widely. visited.

Remy said the findings are important because they suggest that bitflip-induced domain mismatches occur on a scale that is higher than many people thought.

“Previous research was primarily concerned with HTTP / HTTPS, but my research shows that even with a small handful of bit-busy domains, you can still divert misdirected traffic from other default network protocols that are constantly running, such as NTP.” Remy said in a direct message. “Hopefully this will lead to more research in this area as it relates to the default OS services threat model.”

Source link