DNS cache poisoning, to give the attack methodology its correct term, is a security or data integrity compromise in the Domain Name System (DNS) and occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative sources.
Because a domain name server translates a domain name (e.g. www.infosecurity-magazine.com) into an IP address that internet hosts use to contact IP resources, if a DNS server is poisoned, it will return an incorrect IP address, diverting traffic to another computer.
According to Fabio Assolini, a Kaspersky Lab threat expert, these Brazilian attacks have seen users being redirected to install malware before connecting to a number of popular sites. Some incidents, he said, have also featured attacks on network devices, where routers or modems are compromised remotely.
So why Brazil? Assolini said that the country has some major ISPs with around 73 million computers connected to the Internet – and the major ISPs averaging 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge, he noted.
“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo. In all cases, users were asked to run a malicious file as soon as the website opened”, he wrote in his latest security posting.
After monitoring one users' computer, Assolini said that the user was told: 'To access the new Google.com you need to install Google Defence'.
The site asks the customer to download and install the so-called 'Google Defence' software required to use the search engine. As you might expect, Kaspersky's threat researcher says the file is really a trojan banker that exploits CVE-2010-4452 and running arbitrary code in an old installation of JRE.
Assolini noted that last week saw Brazil’s Federal Police arrest a 27-year-old employee of a medium-sized ISP in the south of the country. He was, Assolini noted, accused of participating in this malicious scheme.
“Over a 10-month period he had changed the DNS cache of the ISP, redirecting all users to phishing websites. We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country”, he concluded.