Bitflips are events that cause individual bits stored in an electronic device to be inverted, changing from 0 to 1 or vice versa. Cosmic radiation and fluctuations in energy or temperature are the most common natural causes. A 2010 survey estimated that a computer with 4 GB of regular RAM has a 96 percent chance of being bitfliped in three days.
An independent researcher recently demonstrated how bitflips can come back to harm Windows users when their PCs access Microsoft’s windows.com domain. Windows devices do this regularly to perform actions such as checking that the time displayed on the computer’s clock is correct, connecting to Microsoft’s cloud-based services, and recovering from crashes.
Remy, as the researcher asked to be referred, mapped the 32 valid domain names that were a bitflip from windows.com. He provided the following to help readers understand how these inversions can cause the domain to switch to whndows.com:
| 01110111 | 01101001 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| Ç | I | n | d | The | Ç | s |
| 01110111 | 01101000 | 01101110 | 01100100 | 01101111 | 01110111 | 01110011 |
|---|---|---|---|---|---|---|
| Ç | H | n | d | The | Ç | s |
Of the 32-bit inverted values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies typically buy these types of unique domains to protect customers from phishing attacks. He bought them for $ 126 and started to see what would happen. The domains were:
- windnws.com
- windo7s.com
- windkws.com
- windmws.com
- winlows.com
- windgws.com
- wildows.com
- wintows.com
- wijdows.com
- wiodows.com
- wifdows.com
- whndows.com
- wkndows.com
- wmndows.com
No inherent verification
Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once a week to verify that the time displayed on the device’s clock is correct. What the researcher found next was even more surprising.
“The NTP client for Windows OS has no inherent authenticity check, so there is nothing to stop a malicious person from telling all of these computers that it is after 3:14:07 AM on Tuesday, January 19, 2038 and causing unknown damage like the memory that stores the signed 32-bit integer for time bursts, ”he wrote in a post summarizing his findings. “It turns out that for about 30% of these computers, doing so would make little or no difference to users, because their watch is already broken. “
The researcher observed machines trying to make connections to other windows.com subdomains, including sg2p.wswindows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode and windows.com/? fbclid.
Remy said that not all domain incompatibilities were the result of bitflips. In some cases, they were caused by typos made by people behind the keyboard, and in at least one case, the keyboard was on an Android device, as it was trying to diagnose a deadly blue screen failure that occurred on a Windows machine .
To capture the traffic devices sent to the incompatible domains, Remy rented a virtual private server and created wildcard domain search entries to point to them. Wildcard registrations allow traffic destined for different subdomains of the same domain – say, ntp.whndows.com, abs.xyz.whndows.com or client.wns.whndows.com – to be mapped to the same IP address.
“Due to the nature of this search that deals with bits being inverted, this allows me to capture any DNS lookups for a subdomain of windows.com where several bits have been inverted.”
Remy said he is willing to transfer the 14 domains to a “demonstrably responsible party” and in the meantime, he will simply sink them, meaning that he will keep the addresses and configure the DNS records so that they are inaccessible.
“I hope this generates more research”
I asked Microsoft representatives if they are aware of the findings and the offer to transfer the domains. Representatives are working to get an answer. Readers should remember, however, that the threats that the survey identifies are not limited to Windows.
In a 2019 presentation at the Kaspersky Security Analysts Summit, for example, researchers at the security company Bishop Fox obtained some surprising results after recording hundreds of bitflip variations from skype.com, symantec.com and other widely visited sites.
Remy said the findings are important because they suggest that bitflip-induced domain incompatibilities occur on a larger scale than many people imagined.
“Previous research has dealt primarily with HTTP / HTTPS, but my research shows that even with a small handful of bitquatted domains you can still divert badly targeted traffic from other standard network protocols that are constantly running, such as NTP,” he said. Remy in a direct message. “Hopefully, this generates more research in this area with regard to the standard operating system services threat model.”