According to security researcher Ax Sharma, a cyber analyst was able to “bit squat” Microsoft’s windows.com domain by cybersquatting variations of windows.com.

This technique differentiates itself from cases where typosquatting domains are used for phishing activities in that it expects no action on the victim’s part. Impossible as it may sound, this is a result of a concept commonly known as bit-flipping.

To have a clear understanding of what actually happened, we need to define the two terms.

A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. This type of attack is not—directly—against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial-of-service attack against all messages on a particular channel using that cipher.

initialization vector heimdal security


A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering and is operating system and architecture agnostic.

Security engineer and blogger Remy noticed that out of the 32 valid domain names which were 1-bitflip permutations of windows.com, 14 were unregistered, and therefore available. Seeing that multiple such alterations of windows.com were possible, he put together a list of “bit flipped” domains.

This is a rather odd occurrence as usually these are bought up by a company like Microsoft to prevent their use for phishing attempts. So, I bought them. All of them. For ~$126.

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

While it may seem fair to ignore the concept of bitsquatting as a theoretical concern, researchers have previously noticed a decent success rate of these attacks.

In a Black Hat paper, titled “Bit-squatting DNS Hijacking without Exploitation”, security engineer Artem Dinaburg wrote:

During the logging period, there were a total of 52,317 bit squat requests from 12,949 unique IP addresses. When not counting 3 events that caused extraordinary amounts of traffic, an average of 59 unique IPs per day made HTTP requests to my 32 bit squat domains. These requests were not typos or other manually entered URLs, and some show signs of several bit errors.

Similarly, when Remy squatted the previously mentioned domains and setup sinkholes to record any traffic, he noticed an uptick in legitimate traffic destined to windows.com. Additionally, the researcher was also able to capture UDP traffic destined for Microsoft’s time server, time.windows.com, and TCP traffic meant to reach Microsoft’s services such as Windows Push Notification Services (WNS) and SkyDrive. While it is beyond belief that people would change their time servers to a misspelled windows.com domain, Remy outlines that there is no empirical method to prove that traffic came from bitsquatting.

Unfortunately, the fact that bitsquatting attacks remain practical to accomplish is problematic as malicious actors could create a lot of security problems for applications if their actions are successful.

Leave a Reply

Your email address will not be published. Required fields are marked *