Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 into a 1 or vice versa. Cosmic rays and fluctuations in power or temperature are the most common natural causes. A 2010 study estimated that a computer with 4GB of standard RAM has a 96 percent chance of experiencing a bitflip within three days.
An independent researcher recently showed how bitflips can come back to bite Windows users when their PC connects to Microsoft’s Windows.com domain. Windows devices do this regularly to perform actions such as making sure the time displayed in the computer clock is correct, connecting to Microsoft’s cloud-based services, and recovering from crashes.
Remy, as the researcher asked to be called, mapped out the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips might cause the domain to change to whndows.com:
| 01110111 | 01101001 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| with whom | i | n | d | O | with whom | s |
| 01110111 | 01101000 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| with whom | h | n | d | O | with whom | s |
Of the 32-bit flipped values that were valid domain names, Remy discovered that 14 were still for sale. This was surprising because Microsoft and other companies normally buy these types of one-time domains to protect customers from phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:
- windnws.com
- windo7s.com
- windkws.com
- windmws.com
- winlows.com
- windgws.com
- wildows.com
- winows.com
- Wijdows.com
- widows.com
- Wifdows.com
- whndows.com
- wkndows.com
- wmndows.com
No inherent verification
Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses trying to contact ntp.windows.com. By default, Windows machines connect to this domain once a week to verify that the time displayed on the device clock is correct. What the researcher discovered next was even more surprising.
“The NTP client for Windows OS has no inherent authenticity verification, so there’s nothing to stop a malicious person from telling all these computers it’s after 03:14:07 on Tuesday, January 19, 2038, and wreaking unknown havoc as the memory that the signed 32-bit integer for time lapses,” he wrote in a post summarizing his findings. “However, it turns out that for ~30% of these computers, that would make little to no difference to those users, because their clocks are already broken.”
The researcher observed machines attempting to connect to other windows.com subdomains, including sg2p.wswindows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows.com/ ? fbclid.
Remy said not all domain mismatches were the result of bitflips. In some cases, the mismatches were caused by typos by people behind the keyboard, and in at least one case, the keyboard was on an Android device, as it was trying to diagnose a blue-screen-of-death crash that had occurred on an Android device. Windows machine.
To capture the traffic devices sent to the mismatched domains, Remy rented a virtual private server and created search entries for the wildcard domain to point to. The wildcard records allow traffic destined for different subdomains of the same domain, for example ntp.whndows.com, abs.xyz.whndows.com, or client.wns.whndows.com, to be mapped to the same IP address.
“Due to the nature of this bit-reversing research, this allows me to capture any DNS lookup for a windows.com subdomain where multiple bits are flipped.”
Remy said he is willing to hand over the 14 domains to a “verifiable responsible party”. In the meantime, he’ll just sink them, meaning he’ll hold the addresses and configure the DNS records to be unreachable.
“Hopefully this will lead to more research”
I asked Microsoft representatives if they were aware of the findings and the offer to move the domains. The representatives are working on a response. Readers should remember, however, that the threats the research identifies are not limited to Windows.
For example, in a 2019 presentation at the Kaspersky Security Analysts Summit, researchers from security firm Bishop Fox obtained some eye-opening results after registering hundreds of bitflipped variants of skype.com, symantec.com and other highly-visited sites.
Remy said the findings are important because they suggest that bitflip-induced domain mismatches occur on a scale higher than many people realized.
“Previous research has mainly focused on HTTP/HTTPS, but my research shows that, even with a small handful of bitsquatted domains, you can still offload bad-destined traffic from other standard network protocols that are constantly running, such as NTP,” Remy says. . said in a direct message. “Hopefully this will lead to more research in this area related to the threat model of standard OS services.”
Update: Many commenters have pointed out that there is no way to be sure that the visits to his domain were the result of bitflips. Typos can also be the cause. Regardless, the threat to end users remains the same.
Update 2: The Microsoft representatives didn’t answer my questions, but they did say, “We are aware of industry-wide social engineering techniques that can be used to redirect some customers to a malicious website.”