Bitflips are events that cause individual bits stored in an electronic device to rotate and rotate a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common causes. Research from 2010 estimated that a computer with 4 GB of memory RAM has a 96 percent chance of experiencing a bitflip within three days.
An independent researcher recently showed how bitflips can come back to bite Windows users when their computers reach out to Microsoft’s Windows.com domain. Windows devices frequently do this to perform actions, such as making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from accidents.
Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip from windows.com. He provided the following to help readers understand how these pages can change the domain to whndows.com:
| 01110111 | 01101001 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| w | i | a | d | o | w | s |
| 01110111 | 01101000 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| w | h | a | d | o | w | s |
Of the 32 given values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies typically buy these types of one-time domains to protect customers from phishing attacks. He bought them for $ 126 and decided to see what would happen. The domains were:
- windnws.com
- windo7s.com
- windkws.com
- windmws.com
- winlows.com
- windgws.com
- wildows.com
- wintows.com
- wijdows.com
- wiodows.com
- wifdows.com
- wndows.com
- wkndows.com
- wmndows.com
No inherent authentication
Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses attempting to contact ntp.windows.com. By default, Windows machines will connect to this domain once a week to see if the time indicated on the device clock is correct. What the researcher found afterwards was even more astonishing.
‘The NTP client for Windows OS has no inherent authentication, and there’s nothing stopping a malicious person from telling all these computers that it’s Tuesday, January 19, 2038 at 03:14:07 and that it unknown destruction does not sow, 32-bit integer drawn for time flow, ”he writes in a post in which he summarizes his findings. ‘However, it seems that for ~ 30% of these computers it will make little or no difference to the users, because their clock is already broken. ”
The researcher observed machines trying to connect to other windows.com subdomains, including sg2p.wswindows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows. com /? fbclid.
Remy said that not all domain reconciliations were due to bitflips. In some cases, it was caused by typing errors by people behind the keyboard, and in at least one case, the keyboard was on an Android device as it attempted to diagnose a bluish-fatal crash on a Windows diagnostic. machine.
To capture the traffic devices sent to the non-matching domains, Remy hired a virtual private server and made a wildcard domain lookup entries to point it out. The wildcard records allow traffic to different subdomains of the same domain – for example, ntp.whndows.com, abs.xyz.whndows.com or client.wns.whndows.com – to the same IP address.
“Because of the nature of this research that deals with bits that are turned over, I can record any DNA detection for a windows.com subdomain where multiple bits have been turned over.”
Remy said he was willing to transfer the fourteen domains to a “truly responsible party” and in the meantime simply drop it, meaning he would hold the addresses and set the DNA records so that they were unreachable.
“Hopefully it brings more research”
I asked Microsoft representatives if they were aware of the findings and the offer to transfer the domains. The representatives are working to get a response. However, readers should remember that the threats that the research identifies are not limited to Windows.
In a 2019 presentation at the Kaspersky Security Analysts Summit, for example, researchers from security firm Bishop Fox achieved some striking results after registering hundreds of variations of skype.com, symantec.com, and other frequently visited websites.
Remy said the findings are important because it suggests that the errors between domains induced by flip occur on a higher scale than many people realized.
“Previous research has been mainly about HTTP / HTTPS, but my research shows that even with a small handful of bitquat domains, it can still siphon incorrect destinations from other standard network protocols that are constantly running, such as NTP,” Remy said in an instant message. “Hopefully, it provides more research in this area, as it relates to the threat model of standard OS services.”